CVE-2026-5160

github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation

Description

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript&colon;alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.

INFO

Published Date :

2026-04-15T05:00:01.655Z

Last Modified :

2026-04-15T18:07:10.025Z

Source :

snyk

AFFECTED PRODUCTS

The following products are affected by CVE-2026-5160 vulnerability.

Vendors	Products
Yuin	Goldmark

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-5160.

URL	Resource
https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9
https://nvd.nist.gov/vuln/detail/CVE-2026-5160
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERERHTML-15838406
https://www.cve.org/CVERecord?id=CVE-2026-5160