Description
Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.
Published: 2026-04-15
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting that can lead to arbitrary script execution
Action: Update
AI Analysis

Impact

The vulnerability in the HTML renderer for a popular Markdown processing library permits cross‑site scripting. The flaw arises because URL validation is performed before HTML entity resolution, allowing an attacker to encode a dangerous scheme with named character references. A payload such as "javascript&colon;alert(1)" bypasses the protocol check, causing script execution in any application that renders the URL. This flaw confers the ability to run client‑side code in the user’s context, impacting confidentiality, integrity, and availability of the affected web application.

Affected Systems

Affected products include the Go library for Markdown rendering maintained by the entity at github.com/yuin/goldmark under the renderer/html module. Versions prior to 1.7.17 are susceptible. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS score of 5.1 places this issue in the medium severity range, and the EPSS score is not available, making the likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog, which suggests it has not been widely exploited in the wild at the time of analysis. Existing exploitation would require the target application to render attacker‑controlled Markdown that contains malicious URLs. The attack vector is attacker‑controlled content, typically via user input or content management systems that fail to sanitize Markdown before rendering.

Generated by OpenCVE AI on April 15, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the goldmark/renderer/html package to version 1.7.17 or later to incorporate the URL validation fix.
  • If a patch is not immediately available, ensure that any Markdown content is processed in a trusted environment or filtered to strip or encode link destinations before rendering.
  • Apply application‑level input validation to reject or encode URLs that begin with the javascript: scheme or other dangerous protocols before they reach the renderer.

Generated by OpenCVE AI on April 15, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c97m-vxhj-p7j6 goldmark vulnerable to Cross-site Scripting (XSS)
History

Thu, 23 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yuin:goldmark:*:*:*:*:*:*:*:*

Fri, 17 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Cross-site scripting via URL validation bug in Goldmark HTML renderer github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Yuin
Yuin goldmark
Vendors & Products Yuin
Yuin goldmark

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title Cross-site scripting via URL validation bug in Goldmark HTML renderer

Wed, 15 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript&colon;alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Yuin Goldmark
cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-04-15T18:07:10.025Z

Reserved: 2026-03-30T14:14:48.647Z

Link: CVE-2026-5160

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T06:16:13.860

Modified: 2026-04-23T17:00:30.137

Link: CVE-2026-5160

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-15T05:00:01Z

Links: CVE-2026-5160 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:30Z

Weaknesses