CVE-2025-46734

Name of the Vulnerable Software and Affected Versions league/commonmark versions 1.5.0 through 2.6.x

Description A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library allows remote attackers to insert malicious JavaScript calls into HTML. The library provides configuration options such as html input: 'strip' and allow unsafe links: false to mitigate XSS attacks. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. This can result in the execution of malicious JavaScript code. For example, an attacker can inject dangerous attributes into applications using a payload such as ![](){onerror=alert(1)}, which results in the following HTML: <p><img onerror="alert(1)" src="" alt="" /></p>, causing the JavaScript to execute immediately on page load.

Recommendations For versions 1.5.0 through 2.6.x, consider disabling the AttributesExtension for untrusted users. For versions 1.5.0 through 2.6.x, consider filtering the rendered HTML through a library like HTMLPurifier. Update to version 2.7.0, which contains changes to prevent this XSS attack vector, including blocking attributes starting with on by default, supporting an explicit allowlist of allowed HTML attributes, and respecting the existing allow unsafe links configuration option for manually-added href and src attributes.