The vulnerability stems from improper input sanitization in bio/description fields. The patch replaces Markdown2HTML with Markdown2BasicHTML which adds bluemonday sanitization. This indicates:

1. Markdown2HTML was used for user-controlled input (bio field in user_schema.go)
2. The new Markdown2BasicHTML explicitly restricts allowed elements/attributes
3. The CWE-79 classification confirms this is an output sanitization failure
4. The commit message explicitly addresses markdown processing security