CVE-2025-46734: league/commonmark contains a XSS vulnerability in Attributes extension

May 5, 2025

Cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.

References

github.com/advisories/GHSA-3527-qv2q-pfvx
github.com/thephpleague/commonmark
github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
nvd.nist.gov/vuln/detail/CVE-2025-46734

Code Behaviors & Features

Detect and mitigate CVE-2025-46734 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →