Python
CVE-2025-46656
LOW
Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 51 pypi packages depend on markdownify (39 direct, 13 indirect)
Ecosystem-wide dependent count for version 0.14.1.
DescriptionCVE.org
python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption.
AnalysisAI
python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. Rated low severity (CVSS 2.9), this vulnerability is no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-1284. python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption. Affected products include: Matthewwithanm Markdownify. Version information: before 0.14.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
Share
External POC / Exploit Code
Leaving vuln.today