VYPR
← All advisories
Moderate severityOSV Advisory· Published Mar 24, 2019· Updated Aug 4, 2024

CVE-2019-10010

CVE-2019-10010

Description

Cross-site scripting (XSS) vulnerability in PHP League CommonMark before 0.18.3 allows remote attackers to inject unsafe links via double-encoded HTML entities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting (XSS) vulnerability in PHP League CommonMark before 0.18.3 allows remote attackers to inject unsafe links via double-encoded HTML entities.

Vulnerability

Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before version 0.18.3 allows remote attackers to insert unsafe links into HTML output. The issue occurs when double-encoded HTML entities are not properly escaped during rendering, leading to injection of arbitrary HTML/JavaScript [1]. All versions prior to 0.18.3 are affected.

Exploitation

An attacker can craft Markdown content containing double-encoded HTML entities (e.g., <script>). When a vulnerable application renders this Markdown to HTML, the library fails to decode and escape these entities, resulting in the injection of unsafe links or script content. No authentication is required; the attacker only needs to supply the malicious input via any channel the application processes Markdown (e.g., user comments, chat messages) [1][2].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the rendered page, leading to cross-site scripting (XSS). This can result in session theft, credential harvesting, defacement, or other malicious actions within the security context of the affected application [1][4].

Mitigation

Upgrade to version 0.18.3 or later, which properly decodes and escapes double-encoded HTML entities [3]. For additional defense in depth, the library documentation recommends setting 'allow_unsafe_links' => false and 'html_input' => 'strip' when processing untrusted input [2][4]. No other workarounds are available.

References
  1. NVD - CVE-2019-10010
  2. GitHub - thephpleague/commonmark: Highly-extensible PHP Markdown parser which fully supports the CommonMark and GFM specs.
  3. Release 0.18.3 · thephpleague/commonmark
  4. security-advisories/league/commonmark/CVE-2019-10010.yaml at master · FriendsOfPHP/security-advisories

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
league/commonmarkPackagist
< 0.18.30.18.3

Affected products

2

Patches

1
b1ec41ce15c3

Release 0.18.3

https://github.com/thephpleague/commonmarkColin O'DellMar 21, 2019via osv
commit
1 file changed · +1 1
  • src/CommonMarkConverter.php+1 1 modified
    @@ -26,7 +26,7 @@ class CommonMarkConverter extends Converter
      *
      * @deprecated This will be removed in 1.0.0
      */
-    const VERSION = '0.19-dev';
+    const VERSION = '0.18.3';
 
     /**
      * Create a new commonmark converter instance.

Vulnerability mechanics

Root cause

"Double-encoded HTML entities are not properly escaped during rendering, allowing unsafe links to be injected into HTML output."

Attack vector

A remote attacker can inject unsafe links into HTML output by supplying Markdown input containing double-encoded HTML entities. Because the library does not properly decode or escape these entities during rendering, the double-encoding survives the conversion process and can be interpreted as executable content in the victim's browser. This is a cross-site scripting (XSS) attack [CWE-79] that differs from the previously reported CVE-2018-20583.

Affected code

The vulnerability exists in the PHP League CommonMark library before version 0.18.3. The patch only updates the version constant in `src/CommonMarkConverter.php` from `'0.19-dev'` to `'0.18.3'`, so the actual vulnerable code is not shown in this diff. The advisory describes the issue as double-encoded HTML entities that are not properly escaped during rendering.

What the fix does

The patch increments the version constant from `'0.19-dev'` to `'0.18.3'`, marking the release that contains the fix. The actual code change that corrects the double-encoding handling is not visible in this diff; however, the advisory states that the fix ensures double-encoded HTML entities are properly escaped during rendering so they are not interpreted as unsafe links in the generated HTML output.

Preconditions

  • configThe application must use the PHP League CommonMark library before version 0.18.3 to parse user-supplied Markdown
  • inputThe attacker must be able to submit Markdown content containing double-encoded HTML entities

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.