Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/league/commonmark@0.18.1
purl pkg:composer/league/commonmark@0.18.1
Next non-vulnerable version 2.8.2
Latest non-vulnerable version 2.8.2
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-2rex-2yad-nbet
Aliases:
GHSA-c2pc-g5qf-rfrf
league/commonmark's quadratic complexity bugs may lead to a denial of service Several polynomial time complexity issues in league/commonmark may lead to unbounded resource exhaustion and subsequent denial of service. Malicious users could trigger that inefficient code with carefully crafted Markdown inputs that are specifically designed to ensure the worst-case performance is reached. Sending multiple such requests in parallel could tie up all available CPU resources and/or PHP-FPM processes, leading to denial of service for legitimate users.
2.6.0
Affected by 3 other vulnerabilities.
VCID-munr-vy4r-dyct
Aliases:
CVE-2019-10010
GHSA-3v43-877x-qgmq
Cross-site Scripting Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583.
0.18.3
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-m1hf-fjyz-rbdp Cross-site Scripting Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library allows remote attackers to insert unsafe URLs into HTML (even if `allow_unsafe_links` is false) via a newline character (e.g., writing `javascript` as `javascri%0apt`). CVE-2018-20583
GHSA-qx76-c53f-5c7q

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T05:33:50.055990+00:00 GitLab Importer Affected by VCID-2rex-2yad-nbet https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/league/commonmark/GHSA-c2pc-g5qf-rfrf.yml 38.6.0
2026-06-05T16:22:38.282143+00:00 GHSA Importer Affected by VCID-munr-vy4r-dyct https://github.com/advisories/GHSA-3v43-877x-qgmq 38.6.0
2026-06-04T20:20:05.962524+00:00 GitLab Importer Affected by VCID-munr-vy4r-dyct https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/league/commonmark/CVE-2019-10010.yml 38.6.0
2026-06-04T17:53:55.023197+00:00 GithubOSV Importer Fixing VCID-m1hf-fjyz-rbdp https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qx76-c53f-5c7q/GHSA-qx76-c53f-5c7q.json 38.6.0
2026-06-02T04:38:44.334158+00:00 GitLab Importer Fixing VCID-m1hf-fjyz-rbdp https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/league/commonmark/CVE-2018-20583.yml 38.6.0