cvelistv5 - CVE-2025-46734

CVE-2025-46734 (GCVE-0-2025-46734)

Vulnerability from cvelistv5 – Published: 2025-05-05 19:52 – Updated: 2025-05-06 13:47

Summary

league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.

Severity ?

6.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/thephpleague/commonmark/securi…	x_refsource_CONFIRM
	https://github.com/thephpleague/commonmark/commit…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	thephpleague	commonmark	Affected: < 2.7.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46734",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-06T13:46:48.899340Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-06T13:47:03.821Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "commonmark",
          "vendor": "thephpleague",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: \u0027strip\u0027` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-05T19:52:59.521Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx"
        },
        {
          "name": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"
        }
      ],
      "source": {
        "advisory": "GHSA-3527-qv2q-pfvx",
        "discovery": "UNKNOWN"
      },
      "title": "league/commonmark Cross-site Scripting vulnerability in Attributes extension"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-46734",
    "datePublished": "2025-05-05T19:52:59.521Z",
    "dateReserved": "2025-04-28T20:56:09.085Z",
    "dateUpdated": "2025-05-06T13:47:03.821Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-46734\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-05T20:15:21.613\",\"lastModified\":\"2025-05-05T20:54:19.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: \u0027strip\u0027` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.\"},{\"lang\":\"es\",\"value\":\"league/commonmark es un analizador de PHP Markdown. Una vulnerabilidad de cross-site scripting (XSS) en la extensi\u00f3n Attributes de la librer\u00eda league/commonmark (versiones 1.5.0 a 2.6.x) permite a atacantes remotos insertar llamadas JavaScript maliciosas en HTML. La librer\u00eda league/commonmark ofrece opciones de configuraci\u00f3n como `html_input: \u0027strip\u0027` y `allow_unsafe_links: false` para mitigar los ataques de cross-site scripting (XSS) eliminando HTML sin formato y deshabilitando enlaces no seguros. Sin embargo, al habilitar la extensi\u00f3n Attributes, los usuarios pueden inyectar atributos HTML arbitrarios en elementos mediante la sintaxis Markdown, utilizando llaves. La versi\u00f3n 2.7.0 incluye tres cambios para prevenir este vector de ataque XSS: todos los atributos que empiezan por `on` se consideran no seguros y se bloquean por defecto; se admite una lista expl\u00edcita de atributos HTML permitidos; y los atributos `href` y `src` a\u00f1adidos manualmente ahora respetan la opci\u00f3n de configuraci\u00f3n `allow_unsafe_links`. Si la actualizaci\u00f3n no es posible, considere deshabilitar `AttributesExtension` para usuarios no confiables y/o filtrar el HTML renderizado a trav\u00e9s de una librer\u00eda como HTMLPurifier.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"baseScore\":6.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46734\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-06T13:46:48.899340Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-06T13:46:58.876Z\"}}], \"cna\": {\"title\": \"league/commonmark Cross-site Scripting vulnerability in Attributes extension\", \"source\": {\"advisory\": \"GHSA-3527-qv2q-pfvx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"thephpleague\", \"product\": \"commonmark\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.7.0\"}]}], \"references\": [{\"url\": \"https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx\", \"name\": \"https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b\", \"name\": \"https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: \u0027strip\u0027` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-05T19:52:59.521Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-46734\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-06T13:47:03.821Z\", \"dateReserved\": \"2025-04-28T20:56:09.085Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-05T19:52:59.521Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-3527-QV2Q-PFVX

Vulnerability from github – Published: 2025-05-05 20:40 – Updated: 2025-05-05 22:06

Summary

league/commonmark contains a XSS vulnerability in Attributes extension

Details

Summary

Cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.

Details

The league/commonmark library provides configuration options such as html_input: 'strip' and allow_unsafe_links: false to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces.

As a result, even with the secure configuration shown above, an attacker can inject dangerous attributes into applications using this extension via a payload such as:

![](){onerror=alert(1)}

Which results in the following HTML:

<p><img onerror="alert(1)" src="" alt="" /></p>

Which causes the JS to execute immediately on page load.

Patches

Version 2.7.0 contains three changes to prevent this XSS attack vector:

All attributes starting with on are considered unsafe and blocked by default
Support for an explicit allowlist of allowed HTML attributes
Manually-added href and src attributes now respect the existing allow_unsafe_links configuration option

Workarounds

If upgrading is not feasible, please consider:

Disabling the AttributesExtension for untrusted users
Filtering the rendered HTML through a library like HTMLPurifier

Severity ?

6.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "league/commonmark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46734"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T20:40:36Z",
    "nvd_published_at": "2025-05-05T20:15:21Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nCross-site scripting (XSS) vulnerability in the [Attributes extension](https://commonmark.thephpleague.com/extensions/attributes/) of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.\n\n### Details\n\nThe league/commonmark library provides configuration options such as `html_input: \u0027strip\u0027` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces.\n\nAs a result, even with the secure configuration shown above, an attacker can inject dangerous attributes into applications using this extension via a payload such as:\n\n```md\n![](){onerror=alert(1)}\n```\n\nWhich results in the following HTML:\n\n```html\n\u003cp\u003e\u003cimg onerror=\"alert(1)\" src=\"\" alt=\"\" /\u003e\u003c/p\u003e\n```\n\nWhich causes the JS to execute immediately on page load.\n\n### Patches\n\nVersion 2.7.0 contains three changes to prevent this XSS attack vector:\n\n- All attributes starting with `on` are considered unsafe and blocked by default\n- [Support for an explicit allowlist of allowed HTML attributes](https://commonmark.thephpleague.com/2.7/extensions/attributes/#configuration)\n- Manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option\n\n### Workarounds\n\nIf upgrading is not feasible, please consider:\n\n- Disabling the `AttributesExtension` for untrusted users\n- [Filtering the rendered HTML through a library like HTMLPurifier](https://commonmark.thephpleague.com/security/#additional-filtering)",
  "id": "GHSA-3527-qv2q-pfvx",
  "modified": "2025-05-05T22:06:59Z",
  "published": "2025-05-05T20:40:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46734"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thephpleague/commonmark"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "league/commonmark contains a XSS vulnerability in Attributes extension"
}

FKIE_CVE-2025-46734

Vulnerability from fkie_nvd - Published: 2025-05-05 20:15 - Updated: 2025-05-05 20:54

Severity ?

6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
	security-advisories@github.com	https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: \u0027strip\u0027` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with `on` are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added `href` and `src` attributes now respect the existing `allow_unsafe_links` configuration option. If upgrading is not feasible, please consider disabling the `AttributesExtension` for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier."
    },
    {
      "lang": "es",
      "value": "league/commonmark es un analizador de PHP Markdown. Una vulnerabilidad de cross-site scripting (XSS) en la extensi\u00f3n Attributes de la librer\u00eda league/commonmark (versiones 1.5.0 a 2.6.x) permite a atacantes remotos insertar llamadas JavaScript maliciosas en HTML. La librer\u00eda league/commonmark ofrece opciones de configuraci\u00f3n como `html_input: \u0027strip\u0027` y `allow_unsafe_links: false` para mitigar los ataques de cross-site scripting (XSS) eliminando HTML sin formato y deshabilitando enlaces no seguros. Sin embargo, al habilitar la extensi\u00f3n Attributes, los usuarios pueden inyectar atributos HTML arbitrarios en elementos mediante la sintaxis Markdown, utilizando llaves. La versi\u00f3n 2.7.0 incluye tres cambios para prevenir este vector de ataque XSS: todos los atributos que empiezan por `on` se consideran no seguros y se bloquean por defecto; se admite una lista expl\u00edcita de atributos HTML permitidos; y los atributos `href` y `src` a\u00f1adidos manualmente ahora respetan la opci\u00f3n de configuraci\u00f3n `allow_unsafe_links`. Si la actualizaci\u00f3n no es posible, considere deshabilitar `AttributesExtension` para usuarios no confiables y/o filtrar el HTML renderizado a trav\u00e9s de una librer\u00eda como HTMLPurifier."
    }
  ],
  "id": "CVE-2025-46734",
  "lastModified": "2025-05-05T20:54:19.760",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-05T20:15:21.613",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-46734 (GCVE-0-2025-46734)

GHSA-3527-QV2Q-PFVX

Summary

Details

Patches

Workarounds

FKIE_CVE-2025-46734

Tags

Sightings

Nomenclature