Skip to main content

Github Com Yuin Goldmark Renderer Html CVE-2026-5160

| EUVDEUVD-2026-22836 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-15 snyk GHSA-c97m-vxhj-p7j6
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Patch released
Apr 23, 2026 - 17:00 nvd
Patch available
CVSS changed
Apr 17, 2026 - 15:22 NVD
6.1 (MEDIUM) 5.1 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
1.7.17
Analysis Generated
Apr 15, 2026 - 05:50 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 05:45 euvd
EUVD-2026-22836
Analysis Generated
Apr 15, 2026 - 05:45 vuln.today
CVE Published
Apr 15, 2026 - 05:00 nvd
MEDIUM 5.1

DescriptionCVE.org

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities. This allows an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references. For example, a payload such as javascript:alert(1) is not recognized as dangerous during validation, leading to arbitrary script execution in the context of applications that render the URL.

AnalysisAI

Cross-site scripting (XSS) in goldmark HTML renderer before version 1.7.17 allows unauthenticated remote attackers to execute arbitrary JavaScript by encoding dangerous URL schemes (such as javascript:) using HTML5 named character references, bypassing the renderer's prefix-based protocol validation due to improper ordering of entity resolution. Applications using affected versions can be exploited via crafted markdown containing malicious links that render unsafe protocols in user contexts, with a CVSS score of 6.1 indicating moderate real-world impact driven by the requirement for user interaction (UI:R) and change of scope across trust boundaries.

Technical ContextAI

The vulnerability exists in the goldmark markdown renderer's HTML output module, which processes markdown links and converts them to HTML anchor tags. The renderer implements URL validation through an IsDangerousURL function that uses prefix-based matching to detect and block dangerous protocols (javascript:, data:, vbscript:, etc.). However, the validation logic operates on the raw URL string before HTML entity resolution occurs. HTML5 named character references (such as : for ':') are resolved downstream during HTML rendering, allowing an attacker to encode the colon separator in dangerous schemes so they pass the prefix check intact. When the HTML is rendered by a browser, the entities are decoded, reconstructing the full dangerous URL scheme. This represents a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw where the order of operations creates a window for bypass. Affected versions are identified through the cpe:2.3:a:n/a:github.com/yuin/goldmark/renderer/html CPE string, indicating the renderer/html submodule of the goldmark package.

RemediationAI

Vendor-released patch: upgrade goldmark to version 1.7.17 or later. The upstream fix is documented in the commit cb46bbc4eca29d55aa9721e04ad207c23ccc44f9 (available at https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55aa9721e04ad207c23ccc44f9), which reorders the validation logic to perform URL entity resolution before prefix-based dangerous protocol checking, preventing encoding bypasses. For Go applications, update the github.com/yuin/goldmark module dependency using 'go get -u github.com/yuin/goldmark@v1.7.17' or equivalent. Until patching, applications can implement additional server-side validation of link destinations using more robust URL parsing (parsing the URL to its canonical form before validation) rather than prefix matching. Verify the fix by testing against example payloads such as '[link](javascript:alert(1))' to confirm the renderer rejects or safely escapes the dangerous protocol.

Vendor StatusVendor

Share

CVE-2026-5160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy