{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46734", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-28T20:56:09.085Z", "datePublished": "2025-05-05T19:52:59.521Z", "dateUpdated": "2025-05-06T13:47:03.821Z"}, "containers": {"cna": {"title": "league/commonmark Cross-site Scripting vulnerability in Attributes extension", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx"}, {"name": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b", "tags": ["x_refsource_MISC"], "url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"}], "affected": [{"vendor": "thephpleague", "product": "commonmark", "versions": [{"version": "< 2.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-05T19:52:59.521Z"}, "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier."}], "source": {"advisory": "GHSA-3527-qv2q-pfvx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-06T13:46:48.899340Z", "id": "CVE-2025-46734", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T13:47:03.821Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46734", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-06T13:46:48.899340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-06T13:46:58.876Z"}}], "cna": {"title": "league/commonmark Cross-site Scripting vulnerability in Attributes extension", "source": {"advisory": "GHSA-3527-qv2q-pfvx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "thephpleague", "product": "commonmark", "versions": [{"status": "affected", "version": "< 2.7.0"}]}], "references": [{"url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx", "name": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b", "name": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-05T19:52:59.521Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46734", "state": "PUBLISHED", "dateUpdated": "2025-05-06T13:47:03.821Z", "dateReserved": "2025-04-28T20:56:09.085Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-05T19:52:59.521Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier."}, {"lang": "es", "value": "league/commonmark es un analizador de PHP Markdown. Una vulnerabilidad de cross-site scripting (XSS) en la extensi\u00f3n Attributes de la librer\u00eda league/commonmark (versiones 1.5.0 a 2.6.x) permite a atacantes remotos insertar llamadas JavaScript maliciosas en HTML. La librer\u00eda league/commonmark ofrece opciones de configuraci\u00f3n como `html_input: 'strip'` y `allow_unsafe_links: false` para mitigar los ataques de cross-site scripting (XSS) eliminando HTML sin formato y deshabilitando enlaces no seguros. Sin embargo, al habilitar la extensi\u00f3n Attributes, los usuarios pueden inyectar atributos HTML arbitrarios en elementos mediante la sintaxis Markdown, utilizando llaves. La versi\u00f3n 2.7.0 incluye tres cambios para prevenir este vector de ataque XSS: todos los atributos que empiezan por `on` se consideran no seguros y se bloquean por defecto; se admite una lista expl\u00edcita de atributos HTML permitidos; y los atributos `href` y `src` a\u00f1adidos manualmente ahora respetan la opci\u00f3n de configuraci\u00f3n `allow_unsafe_links`. Si la actualizaci\u00f3n no es posible, considere deshabilitar `AttributesExtension` para usuarios no confiables y/o filtrar el HTML renderizado a trav\u00e9s de una librer\u00eda como HTMLPurifier."}], "id": "CVE-2025-46734", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-05T20:15:21.613", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"}, {"source": "security-advisories@github.com", "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-06-23T19:31:58.711692+00:00", "updated": "2025-06-23T19:31:58.711758+00:00", "vendors": ["thephpleague", "thephpleague$PRODUCT$commonmark"]}