diff --git a/docs/content/en/open_source/upgrading/2.57.md b/docs/content/en/open_source/upgrading/2.57.md
index aeb39538930..2a31552c08d 100644
--- a/docs/content/en/open_source/upgrading/2.57.md
+++ b/docs/content/en/open_source/upgrading/2.57.md
@@ -2,6 +2,13 @@
 title: 'Upgrading to DefectDojo Version 2.57.x'
 toc_hide: true
 weight: -20260302
-description: No special instructions.
+description: HTML sanitization library replaced (bleach → nh3).
 ---
-There are no special instructions for upgrading to 2.57.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.57.0) for the contents of the release.
+Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.57.0) for the contents of the release.
+
+## HTML sanitization: bleach replaced by nh3
+
+The `bleach` library has been replaced by [`nh3`](https://nh3.readthedocs.io/) for HTML sanitization. This is a drop-in replacement in most cases, but there are two minor behavioral changes to be aware of:
+
+- **`style` attributes are no longer allowed.** `bleach` supported CSS property-level filtering (e.g. allowing only `color` or `font-weight`). `nh3` has no equivalent, so `style` attributes are stripped entirely to avoid allowing arbitrary CSS injection. Content that previously relied on inline styles (e.g. colored text in the login banner, background-color on markdown images) will lose that styling.
+- **Disallowed tags are stripped rather than escaped.** Previously, a tag like `<script>` would be rendered as the literal text `&lt;script&gt;`. Now the tag is removed entirely and only its text content is kept. This is the correct behavior for a sanitizer.
diff --git a/dojo/announcement/os_message.py b/dojo/announcement/os_message.py
index dfdb9288710..d1dde8c8800 100644
--- a/dojo/announcement/os_message.py
+++ b/dojo/announcement/os_message.py
@@ -1,7 +1,7 @@
 import logging
 
-import bleach
 import markdown
+import nh3
 import requests
 from django.core.cache import cache
 
@@ -75,11 +75,10 @@ def parse_os_message(text):
 
     headline_source = headline_source[:100]
     headline_rendered = markdown.markdown(headline_source)
-    headline_cleaned = bleach.clean(
+    headline_cleaned = nh3.clean(
         headline_rendered,
-        tags=INLINE_TAGS,
-        attributes=INLINE_ATTRS,
-        strip=True,
+        tags=set(INLINE_TAGS),
+        attributes={k: set(v) for k, v in INLINE_ATTRS.items()},
     )
     headline_html = _strip_outer_p(headline_cleaned)
 
@@ -98,11 +97,10 @@ def parse_os_message(text):
                 expanded_source,
                 extensions=["extra", "fenced_code", "nl2br"],
             )
-            expanded_html = bleach.clean(
+            expanded_html = nh3.clean(
                 expanded_rendered,
-                tags=BLOCK_TAGS,
-                attributes=BLOCK_ATTRS,
-                strip=True,
+                tags=set(BLOCK_TAGS),
+                attributes={k: set(v) for k, v in BLOCK_ATTRS.items()},
             )
 
     return {"message": headline_html, "expanded_html": expanded_html}
diff --git a/dojo/templatetags/display_tags.py b/dojo/templatetags/display_tags.py
index b02f57ea828..1d76a0b28bf 100644
--- a/dojo/templatetags/display_tags.py
+++ b/dojo/templatetags/display_tags.py
@@ -8,10 +8,9 @@
 from itertools import chain
 from pathlib import Path
 
-import bleach
 import dateutil.relativedelta
 import markdown
-from bleach.css_sanitizer import CSSSanitizer
+import nh3
 from django import template
 from django.conf import settings
 from django.contrib.auth.models import User
@@ -51,17 +50,21 @@
 }
 
 markdown_attrs = {
-    "*": ["id"],
-    "img": ["src", "alt", "title", "width", "height", "style"],
-    "a": ["href", "alt", "target", "title"],
-    "span": ["class"],  # used for code highlighting
-    "pre": ["class"],  # used for code highlighting
-    "div": ["class"],  # used for code highlighting
+    "*": {"id"},
+    "img": {"src", "alt", "title", "width", "height"},
+    "a": {"href", "alt", "target", "title"},
+    "span": {"class"},  # used for code highlighting
+    "pre": {"class"},  # used for code highlighting
+    "div": {"class"},  # used for code highlighting
 }
 
-markdown_styles = [
-    "background-color",
-]
+# nh3 base allowlist (equivalent to bleach.ALLOWED_TAGS / bleach.ALLOWED_ATTRIBUTES)
+_NH3_ALLOWED_TAGS = {"a", "abbr", "acronym", "b", "blockquote", "code", "em", "i", "li", "ol", "strong", "ul"}
+_NH3_ALLOWED_ATTRIBUTES = {
+    "a": {"href", "title", "target"},
+    "abbr": {"title"},
+    "acronym": {"title"},
+}
 
 finding_related_action_classes_dict = {
     "reset_finding_duplicate_status": "fa-solid fa-eraser",
@@ -92,21 +95,13 @@ def markdown_render(value):
                                                       "markdown.extensions.fenced_code",
                                                       "markdown.extensions.toc",
                                                       "markdown.extensions.tables"])
-        return mark_safe(bleach.clean(markdown_text, tags=markdown_tags, attributes=markdown_attrs, css_sanitizer=CSSSanitizer(allowed_css_properties=markdown_styles)))
+        return mark_safe(nh3.clean(markdown_text, tags=markdown_tags, attributes=markdown_attrs))
     return None
 
 
 @register.filter
 def bleach_with_a_tags(message):
-    # Create a copy of ALLOWED_ATTRIBUTES to avoid mutating the global
-    allowed_attributes = {
-        **bleach.ALLOWED_ATTRIBUTES,
-        "a": [*bleach.ALLOWED_ATTRIBUTES.get("a", []), "style", "target"],
-    }
-    return mark_safe(bleach.clean(
-        message,
-        attributes=allowed_attributes,
-        css_sanitizer=CSSSanitizer(allowed_css_properties=["color", "font-weight"])))
+    return mark_safe(nh3.clean(message, tags=_NH3_ALLOWED_TAGS, attributes=_NH3_ALLOWED_ATTRIBUTES))
 
 
 def text_shortener(value, length):
diff --git a/dojo/templatetags/get_banner.py b/dojo/templatetags/get_banner.py
index 321e7101604..6e7cbae0881 100644
--- a/dojo/templatetags/get_banner.py
+++ b/dojo/templatetags/get_banner.py
@@ -1,9 +1,9 @@
-import bleach
-from bleach.css_sanitizer import CSSSanitizer
+import nh3
 from django import template
 from django.utils.safestring import mark_safe
 
 from dojo.models import BannerConf
+from dojo.templatetags.display_tags import _NH3_ALLOWED_ATTRIBUTES, _NH3_ALLOWED_TAGS
 
 register = template.Library()
 
@@ -15,16 +15,8 @@ def get_banner_conf(attribute):
         value = getattr(banner_config, attribute, None)
         if value:
             if attribute == "banner_message":
-                # only admin can edit login banner, so we allow html, but still bleach it
-                # Create a copy of ALLOWED_ATTRIBUTES to avoid mutating the global
-                allowed_attributes = {
-                    **bleach.ALLOWED_ATTRIBUTES,
-                    "a": [*bleach.ALLOWED_ATTRIBUTES.get("a", []), "style", "target"],
-                }
-                return mark_safe(bleach.clean(
-                    value,
-                    attributes=allowed_attributes,
-                    css_sanitizer=CSSSanitizer(allowed_css_properties=["color", "font-weight"])))
+                # only admin can edit login banner, so we allow html, but still sanitize it
+                return mark_safe(nh3.clean(value, tags=_NH3_ALLOWED_TAGS, attributes=_NH3_ALLOWED_ATTRIBUTES))
             return value
     except Exception:
         return False
diff --git a/dojo/tools/api_sonarqube/importer.py b/dojo/tools/api_sonarqube/importer.py
index d0ae635cfa0..972b0e6ceab 100644
--- a/dojo/tools/api_sonarqube/importer.py
+++ b/dojo/tools/api_sonarqube/importer.py
@@ -2,9 +2,9 @@
 import re
 import textwrap
 
-import bleach
 import html2text
 import markdown
+import nh3
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from lxml import etree
@@ -420,12 +420,11 @@ def sanitize_rule_details(description):
             description,
             flags=re.DOTALL | re.IGNORECASE,
         )
-        return bleach.clean(
+        return nh3.clean(
             sanitized_description,
-            tags=SonarQubeApiImporter.ALLOWED_RULE_DESCRIPTION_TAGS,
-            attributes=SonarQubeApiImporter.ALLOWED_RULE_DESCRIPTION_ATTRIBUTES,
-            protocols=SonarQubeApiImporter.ALLOWED_RULE_DESCRIPTION_PROTOCOLS,
-            strip=True,
+            tags=set(SonarQubeApiImporter.ALLOWED_RULE_DESCRIPTION_TAGS),
+            attributes={k: set(v) for k, v in SonarQubeApiImporter.ALLOWED_RULE_DESCRIPTION_ATTRIBUTES.items()},
+            url_schemes=set(SonarQubeApiImporter.ALLOWED_RULE_DESCRIPTION_PROTOCOLS),
         )
 
     @staticmethod
diff --git a/dojo/utils.py b/dojo/utils.py
index 44fdd51ca21..69900463e0b 100644
--- a/dojo/utils.py
+++ b/dojo/utils.py
@@ -17,7 +17,6 @@
 from math import pi, sqrt
 from pathlib import Path
 
-import bleach
 import crum
 import cvss
 import redis as redis_lib
@@ -41,6 +40,7 @@
 from django.shortcuts import redirect as django_redirect
 from django.urls import get_resolver, reverse
 from django.utils import timezone
+from django.utils.html import escape
 from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.translation import gettext as _
 from kombu import Connection
@@ -1489,14 +1489,8 @@ def get_current_request():
 
 
 def create_bleached_link(url, title):
-    link = '<a href="'
-    link += url
-    link += '" target="_blank" title="'
-    link += title
-    link += '">'
-    link += title
-    link += "</a>"
-    return bleach.clean(link, tags={"a"}, attributes={"a": ["href", "target", "title"]})
+    # escape() encodes text into HTML — the right tool for embedding URLs into attributes, not a sanitizer like nh3
+    return f'<a href="{escape(url)}" target="_blank" title="{escape(title)}" rel="noopener noreferrer">{escape(title)}</a>'
 
 
 def get_object_or_none(klass, *args, **kwargs):
diff --git a/requirements.txt b/requirements.txt
index 1389f552d35..810bc2fdc72 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,5 @@
 # requirements.txt for DefectDojo using Python 3.x
-bleach==6.3.0
-bleach[css]
+nh3
 celery[sqs]==5.6.3
 # pycurl and boto3 are included via celery[sqs] for Celery Broker AWS (SQS) support
 defusedxml==0.7.1
diff --git a/tests/announcement_banner_test.py b/tests/announcement_banner_test.py
index de17fafe5ef..d3d5a4c89ac 100644
--- a/tests/announcement_banner_test.py
+++ b/tests/announcement_banner_test.py
@@ -141,11 +141,11 @@ def test_html_announcement(self):
         driver.get(self.base_url)
         self.assertFalse(self.is_element_by_css_selector_present(".announcement-banner:not([data-source])"))
 
-        text = "Links in announcements? <a href='https://github.com/DefectDojo/django-DefectDojo' style='color: #224477;' target='_blank'>you bet!</a>"
+        text = "Links in announcements? <a href='https://github.com/DefectDojo/django-DefectDojo' target='_blank'>you bet!</a>"
         self.enable_announcement(text, dismissable=False, style=self.type)
         self.assertTrue(self.is_success_message_present("Announcement updated successfully."))
 
-        driver.find_element(By.XPATH, "//div[contains(@class, 'announcement-banner')]/a[@href='https://github.com/DefectDojo/django-DefectDojo' and @style='color: #224477;' and @target='_blank']")
+        driver.find_element(By.XPATH, "//div[contains(@class, 'announcement-banner')]/a[@href='https://github.com/DefectDojo/django-DefectDojo' and @target='_blank']")
         self.disable_announcement()
         self.assertTrue(self.is_success_message_present("Announcement removed for everyone."))
 
diff --git a/unittests/test_finding_model.py b/unittests/test_finding_model.py
index 78ee40693f2..84dbdda42d1 100644
--- a/unittests/test_finding_model.py
+++ b/unittests/test_finding_model.py
@@ -95,7 +95,7 @@ def test_get_sast_source_file_path_with_link_and_source_code_management_uri(self
         finding.test = test
         finding.sast_source_file_path = "SastSourceFilePath"
         engagement.source_code_management_uri = "URL"
-        self.assertEqual('<a href="URL/SastSourceFilePath" target="_blank" title="SastSourceFilePath">SastSourceFilePath</a>', finding.get_sast_source_file_path_with_link())
+        self.assertEqual('<a href="URL/SastSourceFilePath" target="_blank" title="SastSourceFilePath" rel="noopener noreferrer">SastSourceFilePath</a>', finding.get_sast_source_file_path_with_link())
 
     def test_get_file_path_with_link_no_file_path(self):
         finding = Finding()
@@ -118,7 +118,7 @@ def test_get_file_path_with_link_and_source_code_management_uri(self):
         finding.test = test
         finding.file_path = "FilePath"
         engagement.source_code_management_uri = "URL"
-        self.assertEqual('<a href="URL/FilePath" target="_blank" title="FilePath">FilePath</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="URL/FilePath" target="_blank" title="FilePath" rel="noopener noreferrer">FilePath</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_github_no_scm_type_with_details_and_line(self):
         # checks that for github.com in uri dojo makes correct url to browse on github
@@ -133,7 +133,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_github_no_scm_ty
         finding.file_path = "some-folder/some-file.ext"
         finding.line = 5432
         engagement.source_code_management_uri = "https://github.com/some-test-account/some-test-repo"
-        self.assertEqual('<a href="https://github.com/some-test-account/some-test-repo/blob/some-commit-hash/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://github.com/some-test-account/some-test-repo/blob/some-commit-hash/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_github_with_scm_type_with_details_and_line(self):
         # checks that for github in custom field dojo makes correct url to browse on github
@@ -157,7 +157,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_github_with_scm_
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://github.com/some-test-account/some-test-repo"
-        self.assertEqual('<a href="https://github.com/some-test-account/some-test-repo/blob/some-commit-hash/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://github.com/some-test-account/some-test-repo/blob/some-commit-hash/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public_project_with_no_details_and_line(self):
         # checks that for public bitbucket (bitbucket.org) in custom field
@@ -180,7 +180,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://bb.example.com/some-test-user/some-test-repo.git"
-        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/master/some-folder/some-file.ext#lines-5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/master/some-folder/some-file.ext#lines-5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public_project_with_commithash_and_line(self):
         # checks that for public bitbucket (bitbucket.org) in custom field  and existing commit hash in finding
@@ -204,7 +204,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_public
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://bb.example.com/some-test-user/some-test-repo.git"
-        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/some-commit-hash/some-folder/some-file.ext#lines-5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/some-commit-hash/some-folder/some-file.ext#lines-5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_project_with_commithash_and_line(self):
         # checks that for standalone bitbucket in custom field  and existing commit hash in finding
@@ -228,7 +228,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standa
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://bb.example.com/scm/some-test-project/some-test-repo.git"
-        self.assertEqual('<a href="https://bb.example.com/projects/some-test-project/repos/some-test-repo/browse/some-folder/some-file.ext?at=some-commit-hash#5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/projects/some-test-project/repos/some-test-repo/browse/some-folder/some-file.ext?at=some-commit-hash#5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_project_with_branchtag_and_line(self):
         # checks that for standalone bitbucket in custom field  and existing branch/tag in finding
@@ -252,7 +252,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standa
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://bb.example.com/scm/some-test-project/some-test-repo.git"
-        self.assertEqual('<a href="https://bb.example.com/projects/some-test-project/repos/some-test-repo/browse/some-folder/some-file.ext?at=some-branch#5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/projects/some-test-project/repos/some-test-repo/browse/some-folder/some-file.ext?at=some-branch#5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standalone_user_with_branchtag_and_line(self):
         # checks that for standalone bitbucket in custom field  and existing branch/tag in finding
@@ -277,7 +277,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_bitbucket_standa
 
         engagement.source_code_management_uri = "https://bb.example.com/scm/~some-user/some-test-repo.git"
 
-        self.assertEqual('<a href="https://bb.example.com/users/some-user/repos/some-test-repo/browse/some-folder/some-file.ext?at=some-branch#5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/users/some-user/repos/some-test-repo/browse/some-folder/some-file.ext?at=some-branch#5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_gitea_or_codeberg_project_with_no_details_and_line(self):
         # checks that for gitea and codeberg in custom field
@@ -300,7 +300,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_gitea_or_codeber
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://bb.example.com/some-test-user/some-test-repo.git"
-        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/master/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/master/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_link_and_source_code_management_uri_gitea_or_codeberg_project_with_commithash_and_line(self):
         # checks that for gitea and codeberg in custom field  and existing commit hash in finding
@@ -324,7 +324,7 @@ def test_get_file_path_with_link_and_source_code_management_uri_gitea_or_codeber
         finding.line = 5432
 
         engagement.source_code_management_uri = "https://bb.example.com/some-test-user/some-test-repo.git"
-        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/some-commit-hash/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
+        self.assertEqual('<a href="https://bb.example.com/some-test-user/some-test-repo/src/some-commit-hash/some-folder/some-file.ext#L5432" target="_blank" title="some-folder/some-file.ext" rel="noopener noreferrer">some-folder/some-file.ext</a>', finding.get_file_path_with_link())
 
     def test_get_file_path_with_xss_attack(self):
         test = Test()
@@ -334,7 +334,13 @@ def test_get_file_path_with_xss_attack(self):
         finding.test = test
         finding.file_path = "<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>"
         engagement.source_code_management_uri = "<IMG SRC=javascript:alert('XSS')>"
-        self.assertEqual('<a href="&lt;IMG SRC=javascript:alert(\'XSS\')>/&lt;SCRIPT SRC=http://xss.rocks/xss.js>&lt;/SCRIPT>" target="_blank" title="&lt;SCRIPT SRC=http://xss.rocks/xss.js>&lt;/SCRIPT>">&lt;SCRIPT SRC=http://xss.rocks/xss.js&gt;&lt;/SCRIPT&gt;</a>', finding.get_file_path_with_link())
+        self.assertEqual(
+            '<a href="&lt;IMG SRC=javascript:alert(&#x27;XSS&#x27;)&gt;/&lt;SCRIPT SRC=http://xss.rocks/xss.js&gt;&lt;/SCRIPT&gt;"'
+            ' target="_blank"'
+            ' title="&lt;SCRIPT SRC=http://xss.rocks/xss.js&gt;&lt;/SCRIPT&gt;"'
+            ' rel="noopener noreferrer"'
+            '>&lt;SCRIPT SRC=http://xss.rocks/xss.js&gt;&lt;/SCRIPT&gt;</a>',
+            finding.get_file_path_with_link())
 
     def test_get_references_with_links_no_references(self):
         finding = Finding()
@@ -348,32 +354,32 @@ def test_get_references_with_links_no_links(self):
     def test_get_references_with_links_simple_url(self):
         finding = Finding()
         finding.references = "URL: https://www.example.com"
-        self.assertEqual('URL: <a href="https://www.example.com" target="_blank" title="https://www.example.com">https://www.example.com</a>', finding.get_references_with_links())
+        self.assertEqual('URL: <a href="https://www.example.com" target="_blank" title="https://www.example.com" rel="noopener noreferrer">https://www.example.com</a>', finding.get_references_with_links())
 
     def test_get_references_with_links_url_with_port(self):
         finding = Finding()
         finding.references = "http://www.example.com:8080"
-        self.assertEqual('<a href="http://www.example.com:8080" target="_blank" title="http://www.example.com:8080">http://www.example.com:8080</a>', finding.get_references_with_links())
+        self.assertEqual('<a href="http://www.example.com:8080" target="_blank" title="http://www.example.com:8080" rel="noopener noreferrer">http://www.example.com:8080</a>', finding.get_references_with_links())
 
     def test_get_references_with_links_url_with_path(self):
         finding = Finding()
         finding.references = "URL https://www.example.com/path/part2 behind URL"
-        self.assertEqual('URL <a href="https://www.example.com/path/part2" target="_blank" title="https://www.example.com/path/part2">https://www.example.com/path/part2</a> behind URL', finding.get_references_with_links())
+        self.assertEqual('URL <a href="https://www.example.com/path/part2" target="_blank" title="https://www.example.com/path/part2" rel="noopener noreferrer">https://www.example.com/path/part2</a> behind URL', finding.get_references_with_links())
 
     def test_get_references_with_links_complicated_url_with_parameter(self):
         finding = Finding()
         finding.references = "URL:https://www.example.com/path?param1=abc&_param2=xyz"
-        self.assertEqual('URL:<a href="https://www.example.com/path?param1=abc&amp;_param2=xyz" target="_blank" title="https://www.example.com/path?param1=abc&amp;_param2=xyz">https://www.example.com/path?param1=abc&amp;_param2=xyz</a>', finding.get_references_with_links())
+        self.assertEqual('URL:<a href="https://www.example.com/path?param1=abc&amp;_param2=xyz" target="_blank" title="https://www.example.com/path?param1=abc&amp;_param2=xyz" rel="noopener noreferrer">https://www.example.com/path?param1=abc&amp;_param2=xyz</a>', finding.get_references_with_links())
 
     def test_get_references_with_links_two_urls(self):
         finding = Finding()
         finding.references = "URL1: https://www.example.com URL2: https://info.example.com"
-        self.assertEqual('URL1: <a href="https://www.example.com" target="_blank" title="https://www.example.com">https://www.example.com</a> URL2: <a href="https://info.example.com" target="_blank" title="https://info.example.com">https://info.example.com</a>', finding.get_references_with_links())
+        self.assertEqual('URL1: <a href="https://www.example.com" target="_blank" title="https://www.example.com" rel="noopener noreferrer">https://www.example.com</a> URL2: <a href="https://info.example.com" target="_blank" title="https://info.example.com" rel="noopener noreferrer">https://info.example.com</a>', finding.get_references_with_links())
 
     def test_get_references_with_links_linebreak(self):
         finding = Finding()
         finding.references = "https://www.example.com\nhttps://info.example.com"
-        self.assertEqual('<a href="https://www.example.com" target="_blank" title="https://www.example.com">https://www.example.com</a>\n<a href="https://info.example.com" target="_blank" title="https://info.example.com">https://info.example.com</a>', finding.get_references_with_links())
+        self.assertEqual('<a href="https://www.example.com" target="_blank" title="https://www.example.com" rel="noopener noreferrer">https://www.example.com</a>\n<a href="https://info.example.com" target="_blank" title="https://info.example.com" rel="noopener noreferrer">https://info.example.com</a>', finding.get_references_with_links())
 
     def test_get_references_with_links_markdown(self):
         finding = Finding()
diff --git a/unittests/test_os_message.py b/unittests/test_os_message.py
index 3b43b1e3de5..813e49e0c85 100644
--- a/unittests/test_os_message.py
+++ b/unittests/test_os_message.py
@@ -43,7 +43,7 @@ def test_headline_inline_markdown(self):
         text = "# Read the **release notes** at [link](https://example.com)\n"
         result = os_message.parse_os_message(text)
         self.assertIn("<strong>release notes</strong>", result["message"])
-        self.assertIn('<a href="https://example.com">link</a>', result["message"])
+        self.assertIn('<a href="https://example.com" rel="noopener noreferrer">link</a>', result["message"])
         self.assertIsNone(result["expanded_html"])
 
     def test_headline_strips_disallowed_html(self):
diff --git a/unittests/tools/test_api_sonarqube_importer.py b/unittests/tools/test_api_sonarqube_importer.py
index 8dd3b9eafa0..4f3b83a5eb4 100644
--- a/unittests/tools/test_api_sonarqube_importer.py
+++ b/unittests/tools/test_api_sonarqube_importer.py
@@ -351,8 +351,8 @@ def test_get_rule_details_sanitizes_markdown_html(self):
         )
 
         self.assertIn("<h1>Heading</h1>", rule_details)
-        self.assertIn('<a href="https://example.com">safe</a>', rule_details)
-        self.assertIn("<a>unsafe</a>", rule_details)
+        self.assertIn('<a href="https://example.com" rel="noopener noreferrer">safe</a>', rule_details)
+        self.assertIn('<a rel="noopener noreferrer">unsafe</a>', rule_details)
         self.assertNotIn("<script", rule_details)
         self.assertNotIn("alert('boom')", rule_details)
         self.assertNotIn("javascript:", rule_details)
@@ -370,8 +370,8 @@ def test_get_rule_details_sanitizes_html_desc(self):
         )
 
         self.assertIn("<h2>References</h2>", rule_details)
-        self.assertIn('<a href="https://owasp.org">OWASP</a>', rule_details)
-        self.assertIn("<a>unsafe</a>", rule_details)
+        self.assertIn('<a href="https://owasp.org" rel="noopener noreferrer">OWASP</a>', rule_details)
+        self.assertIn('<a rel="noopener noreferrer">unsafe</a>', rule_details)
         self.assertNotIn("<style", rule_details)
         self.assertNotIn("display: none", rule_details)
         self.assertNotIn("javascript:", rule_details)