CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46734 – league/commonmark Cross-site Scripting vulnerability in Attributes extension
https://notcve.org/view.php?id=CVE-2025-46734
05 May 2025 — league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as `html_input: 'strip'` and `allow_unsafe_links: false` to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension ... • https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10010
https://notcve.org/view.php?id=CVE-2019-10010
24 Mar 2019 — Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583. Vulnerabilidad Cross-Site Scripting (XSS) en la librería PHP League CommonMark, en versiones anteriores a la 0.18.3, permite que los atacantes remotos inserten enlaces inseguros en HTML mediante el uso de entidades HTML doblemente... • https://github.com/thephpleague/commonmark/issues/353 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20583
https://notcve.org/view.php?id=CVE-2018-20583
30 Dec 2018 — Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writing javascript as javascri%0apt). Vulnerabilidad Cross-Site Scripting (XSS) en la biblioteca PHP League CommonMark, desde la versión 0.15.6 hasta las 0.18.x anteriores a la 0.18.1, permite que atacantes remotos inserten URL inseguras en HTML (incluso aunque al... • https://commonmark.thephpleague.com/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •