XSS Vulnerability in Goldmark HTML Renderer by Yuin
CVE-2026-5160

5.1MEDIUM

Key Information:

Vendor: Yuin
Status: Github.com/yuin/goldmark/renderer/html
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-5160?

The Goldmark HTML renderer, prior to version 1.7.17, exhibits a Cross-site Scripting (XSS) vulnerability resulting from improper URL validation and normalization. An attacker can exploit this weakness by encoding dangerous URL schemes using HTML5 named character references, allowing for the execution of arbitrary scripts in applications that render URLs. This occurs because the renderer performs validation through a prefix-based check before properly resolving HTML entities, enabling attacks such as javascript:alert(1) to be executed in unsuspecting contexts.

Affected Version(s)

github.com/yuin/goldmark/renderer/html 0 < 1.7.17

References

https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMYUINGO...

https://github.com/yuin/goldmark/commit/cb46bbc4eca29d55a...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 30, 2026

Credit

Catalin Iovita (Snyk Security Research)

CVE-2026-5160 Data

JSON