Browse all 5 CVE security advisories affecting thephpleague. AI-powered Chinese analysis, POCs, and references for each vulnerability.
The PHP League develops high-quality PHP packages that serve as fundamental components for web applications, with their libraries frequently handling critical functions like routing, authentication, and data processing. Historically, their packages have been susceptible to remote code execution, cross-site scripting, and privilege escalation vulnerabilities, often stemming from improper input validation or insecure deserialization. While no major security incidents have been publicly documented, their five CVEs highlight ongoing risks in widely-used dependencies that, if exploited, could enable attackers to compromise entire application ecosystems. Their security posture reflects broader challenges in the PHP package ecosystem, where complex dependencies and rapid development cycles can introduce exploitable flaws.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33347 | league/commonmark has an embed extension allowed_domains bypass — commonmarkCWE-79 | 9.1 | - | 2026-03-24 |
| CVE-2026-30838 | league/commonmark: DisallowedRawHtml extension bypass via whitespace in HTML tag names — commonmarkCWE-79 | 5.4 | - | 2026-03-07 |
| CVE-2025-46734 | league/commonmark Cross-site Scripting vulnerability in Attributes extension — commonmarkCWE-79 | 6.4 | Medium | 2025-05-05 |
| CVE-2023-37260 | league/oauth2-server key exposed in exception message when passing as string and providing invalid pass phrase — oauth2-serverCWE-209 | 8.2 | High | 2023-07-06 |
| CVE-2021-32708 | Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem — flysystemCWE-367 | 9.8 | Critical | 2021-06-24 |
This page lists every published CVE security advisory associated with thephpleague. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.