Bug 2458616 (CVE-2026-5160) - CVE-2026-5160 github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation
Summary: CVE-2026-5160 github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmar...
Keywords:
Status: NEW
Alias: CVE-2026-5160
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2458968 2458969 2458970 2458972 2458973 2458974 2458975 2458978 2458979 2458980 2458981 2458982 2458983 2458985 2458987 2458988 2458989 2458992 2458993 2458995 2458996 2458971 2458976 2458984 2458986 2458991 2458994 2458997 2458998
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-15 06:01 UTC by OSIDB Bzimport
Modified: 2026-04-16 18:20 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-15 06:01:14 UTC 
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.
Comment 2 Marco Benatto 2026-04-16 18:20:54 UTC 
Public upstream commit fixing this issue:
https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9
Note You need to log in before you can comment on or make changes to this bug.