Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-6amb-ueem-w3h6
Vulnerability ID VCID-6amb-ueem-w3h6
Aliases CVE-2025-46734
GHSA-3527-qv2q-pfvx
Summary league/commonmark contains a XSS vulnerability in Attributes extension Cross-site scripting (XSS) vulnerability in the [Attributes extension](https://commonmark.thephpleague.com/extensions/attributes/) of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-46734
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2025-46734
cvssv3.1 6.4 https://github.com/thephpleague/commonmark
generic_textual MODERATE https://github.com/thephpleague/commonmark
cvssv3.1 6.4 https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
generic_textual MODERATE https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
ssvc Track https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
cvssv3.1 6.4 https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
generic_textual MODERATE https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
ssvc Track https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
cvssv3.1 6.4 https://nvd.nist.gov/vuln/detail/CVE-2025-46734
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-46734
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-46734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46734
https://github.com/thephpleague/commonmark
https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
CVE-2025-46734 https://nvd.nist.gov/vuln/detail/CVE-2025-46734
GHSA-3527-qv2q-pfvx https://github.com/advisories/GHSA-3527-qv2q-pfvx
GHSA-3527-qv2q-pfvx https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
USN-8194-1 https://usn.ubuntu.com/8194-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/thephpleague/commonmark
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-06T13:46:48Z/ Found at https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-06T13:46:48Z/ Found at https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-46734
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.15974
EPSS Score 0.0005
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:23:57.413376+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/league/commonmark/CVE-2025-46734.yml 38.6.0