{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5160", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2026-03-30T14:14:48.647Z", "datePublished": "2026-04-15T05:00:01.655Z", "dateUpdated": "2026-04-15T18:07:10.025Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "exploitCodeMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N"}}], "credits": [{"value": "Catalin Iovita (Snyk Security Research)", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Cross-site Scripting (XSS)", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2026-04-15T05:00:01.655Z"}, "descriptions": [{"value": "Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERERHTML-15838406"}, {"url": "https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9"}], "affected": [{"product": "github.com/yuin/goldmark/renderer/html", "versions": [{"version": "0", "lessThan": "1.7.17", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:07:02.033634Z", "id": "CVE-2026-5160", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:07:10.025Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yuin:goldmark:*:*:*:*:*:*:*:*", "matchCriteriaId": "B58D5738-7313-4E7D-82A5-45C567B7067F", "versionEndExcluding": "1.7.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL."}], "id": "CVE-2026-5160", "lastModified": "2026-04-23T17:00:30.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "report@snyk.io", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2026-04-15T06:16:13.860", "references": [{"source": "report@snyk.io", "tags": ["Patch"], "url": "https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9"}, {"source": "report@snyk.io", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERERHTML-15838406"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "report@snyk.io", "type": "Secondary"}]}

{"bugzilla": {"description": "github.com/yuin/goldmark/renderer/html: github.com/yuin/goldmark/renderer/html: Cross-site Scripting due to improper URL validation", "id": "2458616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458616"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in github.com/yuin/goldmark/renderer/html. This Cross-site Scripting (XSS) vulnerability allows a remote attacker to execute arbitrary scripts in the context of applications that render a malicious URL. The flaw stems from an improper ordering of URL validation and normalization, where the component validates link destinations before resolving HTML entities. This enables an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references, leading to unauthorized code execution."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid rendering untrusted content with applications utilizing `github.com/yuin/goldmark/renderer/html`. Ensure that all input processed by the affected component is thoroughly sanitized to prevent the injection of malicious HTML entities or dangerous URL schemes."}, "name": "CVE-2026-5160", "package_state": [{"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-adapter-rhel9", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-admission-webhooks-rhel9", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}, {"cpe": "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2", "fix_state": "Fix deferred", "package_name": "custom-metrics-autoscaler/custom-metrics-autoscaler-rhel9-operator", "product_name": "Custom Metric Autoscaler operator for Red Hat Openshift"}], "public_date": "2026-04-15T05:00:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5160\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5160\nhttps://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9\nhttps://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGOLDMARKRENDERERHTML-15838406"], "statement": "This vulnerability is rated as Moderate as user interaction is required by accessing the maliciously crafted content in order to an attacker perform the exploit. A Cross-site Scripting (XSS) flaw exists in `github.com/yuin/goldmark/renderer/html` due to incorrect ordering of URL validation and HTML entity resolution. This allows an attacker to bypass protocol filtering by encoding dangerous schemes, leading to arbitrary script execution when a malicious URL is rendered.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.17)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "github.com/yuin/goldmark/renderer/html", "source": "cna", "vendor": "n/a"}, "product": "goldmark", "vendor": "yuin"}], "analysis": {"en": {"generated_at": "2026-04-15T06:50:25.453045+00:00", "value": {"mitigation_remediation": ["Upgrade the goldmark/renderer/html package to version 1.7.17 or later to incorporate the URL validation fix.", "If a patch is not immediately available, ensure that any Markdown content is processed in a trusted environment or filtered to strip or encode link destinations before rendering.", "Apply application\u2011level input validation to reject or encode URLs that begin with the javascript: scheme or other dangerous protocols before they reach the renderer."], "summary": {"action": "Update", "impact": "Cross-site scripting that can lead to arbitrary script execution"}, "threat_synthesis": {"affected_systems": "Affected products include the Go library for Markdown rendering maintained by the entity at github.com/yuin/goldmark under the renderer/html module. Versions prior to 1.7.17 are susceptible. No other vendors or product versions are listed.", "description_and_impact": "The vulnerability in the HTML renderer for a popular Markdown processing library permits cross\u2011site scripting. The flaw arises because URL validation is performed before HTML entity resolution, allowing an attacker to encode a dangerous scheme with named character references. A payload such as \"javascript:alert(1)\" bypasses the protocol check, causing script execution in any application that renders the URL. This flaw confers the ability to run client\u2011side code in the user\u2019s context, impacting confidentiality, integrity, and availability of the affected web application.", "risk_and_exploitability": "The CVSS score of 5.1 places this issue in the medium severity range, and the EPSS score is not available, making the likelihood of exploitation uncertain. The vulnerability is not listed in the CISA KEV catalog, which suggests it has not been widely exploited in the wild at the time of analysis. Existing exploitation would require the target application to render attacker\u2011controlled Markdown that contains malicious URLs. The attack vector is attacker\u2011controlled content, typically via user input or content management systems that fail to sanitize Markdown before rendering."}}}}, "created": "2026-04-15T13:49:14.868336+00:00", "title": "Cross-site scripting via URL validation bug in Goldmark HTML renderer", "updated": "2026-04-15T14:53:30.314176+00:00", "vendors": ["yuin", "yuin$PRODUCT$goldmark"]}