Jmooring

**Name of the Vulnerable Software and Affected Versions** Hugo versions prior to 0.161.0 **Description** When building a site that utilizes Node-based asset pipelines such as PostCSS, Babel, or TailwindCSS, the software invokes configured Node tools without restrictions on file system access. This allows code executed through these tools to read or write files outside the project's working directory when processing an untrusted site. **Recommendations** Update to version 0.161.0 or later. As a temporary workaround, block the affected tools in the `security.exec.allow` configuration.

**Name of the Vulnerable Software and Affected Versions** Hugo versions 0.123.0 through 0.139.4 **Description** The issue concerns unescaped HTML attributes in Markdown within internal templates. This affects Hugo users who do not trust their Markdown content files and are using one or more of the following templates: ` default/ markup/render-link.html`, ` default/ markup/render-image.html`, ` default/ markup/render-table.html`, and/or `shortcodes/youtube.html`. The issue is patched in version 0.139.4. **Recommendations** For Hugo versions 0.123.0 through 0.139.4, replace the affected internal templates with user-defined templates or disable the internal templates to mitigate the risk. Specifically, consider replacing or disabling the following templates: ` default/ markup/render-link.html`, ` default/ markup/render-image.html`, ` default/ markup/render-table.html`, and `shortcodes/youtube.html`. Update to version 0.139.4 or later to fully resolve the issue.