A cross-site scripting (XSS) vulnerability was found in the PHP League's CommonMark library ( league/commonmark ) versions 0.15.6 through 0.18.x before 0.18.1. It allows remote attackers to insert unsafe URLs into <a> tags (even if allow_unsafe_links is false ) by adding an encoded newline character in the middle (e.g., writing javascript as javascri%0Apt ).

Version 0.18.1 has been released to fix this issue. All users are strongly encouraged to upgrade to this version.

For more details about the vulnerability, potential impact, and the solution please see the library's official announcement here about CVE-2018-20583.