[MEDIUM] CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names

PKSA-2cx9-ynrq-qdk3 CVE-2026-30838 GHSA-4v6x-c7xx-hw9f

Affected package: league/commonmark

Affected version: <=2.8.0

Reported by:
GitHub