CVE-2026-5160

Name of the Vulnerable Software and Affected Versions github.com/yuin/goldmark/renderer/html versions prior to 1.7.17

Description Improper ordering of URL validation and normalization allows Cross-site Scripting (XSS). The renderer performs a prefix-based check using the IsDangerousURL() function to validate link destinations before resolving HTML entities. An attacker can bypass protocol filtering by encoding dangerous schemes with HTML5 named character references, such as using javascript:alert(1), which results in arbitrary script execution when the application renders the URL.

Recommendations Update to version 1.7.17 or later.