diff --git a/install/package.json b/install/package.json
index 379b007c2d..4c1a6df2eb 100644
--- a/install/package.json
+++ b/install/package.json
@@ -148,7 +148,7 @@
         "toobusy-js": "0.5.1",
         "tough-cookie": "6.0.0",
         "undici": "^7.10.0",
-        "validator": "13.15.15",
+        "validator": "13.15.23",
         "webpack": "5.102.0",
         "webpack-merge": "6.0.1",
         "winston": "3.17.0",
diff --git a/test/user/custom-fields.js b/test/user/custom-fields.js
index df4feb2432..8a637f49a2 100644
--- a/test/user/custom-fields.js
+++ b/test/user/custom-fields.js
@@ -88,6 +88,14 @@ describe('custom user fields', () => {
 			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
 		);
 
+		await assert.rejects(
+			user.updateProfile(highRepUid, {
+				uid: highRepUid,
+				website: 'javascript:alert("xss")',
+			}),
+			{ message: '[[error:custom-user-field-invalid-link, Website]]' },
+		);
+
 		await assert.rejects(
 			user.updateProfile(highRepUid, {
 				uid: highRepUid,