CVE-2026-5160

medium Red Hat
CVSS v3 Base Score
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.1%
Exploitation probability in 30 days
Top 84% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
Low
Integrity
Low
Availability
None
Published: April 15, 2026 (86 days ago)
Last Modified: April 15, 2026
Vendor: Red Hat
Source: REDHAT

Description

A flaw was found in github.com/yuin/goldmark/renderer/html. This Cross-site Scripting (XSS) vulnerability allows a remote attacker to execute arbitrary scripts in the context of applications that render a malicious URL. The flaw stems from an improper ordering of URL validation and normalization, where the component validates link destinations before resolving HTML entities. This enables an attacker to bypass protocol filtering by encoding dangerous schemes using HTML5 named character references, leading to unauthorized code execution.

CWE

CWE-79

Affected Products

Custom Metric Autoscaler operator for Red Hat Openshift

References