A cross-site scripting (XSS) vulnerability was found in the PHP League’s CommonMark library (
league/commonmark) versions 0.15.6 through 0.18.x before 0.18.1. It allows remote attackers to insert unsafe URLs into
<a> tags (even if
false) by adding an encoded newline character in the middle (e.g., writing
Version 0.18.1 has been released to fix this issue. All users are strongly encouraged to upgrade to this version.