league/commonmark is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject arbitrary Javascript into a victim’s browser via unsafe links using double-encoded HTML entities to steal session tokens or perform unwanted actions on behalf of the user.