CVE-2026-5160: goldmark vulnerable to Cross-site Scripting (XSS)

April 17, 2026 (updated April 18, 2026)

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.

References

github.com/advisories/GHSA-c97m-vxhj-p7j6
github.com/yuin/goldmark
github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9
nvd.nist.gov/vuln/detail/CVE-2026-5160
security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERERHTML-15838406

Code Behaviors & Features

Detect and mitigate CVE-2026-5160 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →