What is the severity of CVE-2026-30838?

CVE-2026-30838 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-30838?

No known public exploits are currently available for CVE-2026-30838.

Is there a patch available for CVE-2026-30838?

Yes, patches are available for CVE-2026-30838. Check the vendor advisories for update instructions.

CVE-2026-30838 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-30838?

### Impact The `DisallowedRawHtml` extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing `>`. For example, ` ` would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input. All applications using the `DisallowedRawHtml` extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected. ### Patches Fixed in 2.8.1. The regex character class `[ \/>]` was changed to `[\s\/>]` to match all whitespace characters that browsers accept as valid tag name terminators. ### Workarounds - Set the `html_input` configuration option to `'escape'` or `'strip'` to disable all raw HTML, though this is a broader restriction than the `DisallowedRawHtml` extension provides. - Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users ([always recommended](https://commonmark.thephpleague.com/2.x/security/#additional-filtering)) ### Resources - [CommonMark DisallowedRawHtml documentation](https://commonmark.thephpleague.com/extensions/disallowed-raw-html/) - [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html) - [CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)](https://cwe.mitre.org/data/definitions/80.html)

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

The DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing >. For example, <script\n> would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input.

All applications using the DisallowedRawHtml extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected.

Patches

Fixed in 2.8.1. The regex character class [ \/>] was changed to [\s\/>] to match all whitespace characters that browsers accept as valid tag name terminators.

Workarounds

Set the html_input configuration option to 'escape' or 'strip' to disable all raw HTML, though this is a broader restriction than the DisallowedRawHtml extension provides.
Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users (always recommended)

Resources

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-