Bug 2458616 (CVE-2026-5160) - CVE-2026-5160 github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation
Summary: CVE-2026-5160 github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmar...
Keywords:
Status: NEW
Alias: CVE-2026-5160
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2458970 2458972 2458973 2458974 2458975 2458978 2458979 2458981 2458982 2458983 2458985 2458987 2458988 2458989 2458992 2458993 2458996 2458968 2458969 2458971 2458976 2458980 2458984 2458986 2458991 2458994 2458995 2458997 2458998 2488667
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-15 06:01 UTC by OSIDB Bzimport
Modified: 2026-06-13 02:22 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-15 06:01:14 UTC
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.

Comment 2 Marco Benatto 2026-04-16 18:20:54 UTC
Public upstream commit fixing this issue:
https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9


Note You need to log in before you can comment on or make changes to this bug.