CVE-2026-5160
XSS Vulnerability in goldmark/html Renderer Before
Publication date: 2026-04-15
Last updated on: 2026-04-23
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yuin | goldmark | to 1.7.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5160 is a Cross-site Scripting (XSS) vulnerability in versions of the Go package github.com/yuin/goldmark/renderer/html before 1.7.17. The vulnerability occurs because the renderer validates link destinations using a prefix-based check (IsDangerousURL) before decoding HTML entities. This improper ordering allows attackers to bypass protocol filtering by encoding dangerous schemes like "javascript:" using HTML5 named character references (e.g., "javascript:alert(1)"). As a result, malicious scripts can be executed in the context of applications that render these URLs.
The root cause is insufficient escaping and validation of user input, allowing dangerous URLs to be interpreted as safe during validation, leading to arbitrary script execution.
How can this vulnerability impact me? :
This vulnerability can lead to Cross-site Scripting (XSS) attacks, where malicious scripts are injected into trusted websites and executed in users' browsers.
- Attackers can execute arbitrary scripts, potentially leading to session hijacking.
- It can cause exposure of sensitive data.
- Malware delivery through injected scripts is possible.
The attack requires no privileges but does require active user interaction, such as clicking a malicious link.
The impact includes limited confidentiality and integrity loss, but no impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is using a vulnerable version of the package github.com/yuin/goldmark/renderer/html prior to version 1.7.17.
You can check the installed version of the package in your project dependencies or modules. For example, if you are using Go modules, you can run the following command in your project directory:
- go list -m github.com/yuin/goldmark
If the version is older than 1.7.17, your system is vulnerable.
Additionally, you can scan your source code or binaries for usage of this package and check for unsafe rendering modes or unescaped URLs in markdown rendering.
Network detection of exploit attempts may be difficult because the attack requires crafted markdown content with encoded dangerous URLs. Monitoring for suspicious markdown inputs containing encoded javascript: schemes (e.g., javascript:) could help.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5160 is a Cross-site Scripting (XSS) vulnerability that allows attackers to execute arbitrary scripts in the context of applications rendering unsafe URLs. Such XSS vulnerabilities can lead to session hijacking, data exposure, and unauthorized access to sensitive information.
Because of these risks, this vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information. Failure to mitigate XSS vulnerabilities may result in unauthorized disclosure or manipulation of protected data, violating these regulations.
Remediation by upgrading to version 1.7.17 or later, which properly escapes and validates URLs, is necessary to maintain compliance and reduce the risk of data breaches caused by XSS attacks.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the package github.com/yuin/goldmark/renderer/html to version 1.7.17 or later, where the vulnerability has been fixed by properly ordering URL validation and normalization.
If upgrading is not immediately possible, consider the following temporary mitigations:
- Sanitize and validate all user inputs that may be rendered as markdown, especially URLs.
- Avoid enabling unsafe rendering modes that bypass URL escaping.
- Implement Content Security Policies (CSP) to restrict execution of unauthorized scripts.
- Monitor and filter markdown content for suspicious encoded URLs that could bypass validation.