PT-2026-30283 · Hugo · Hugo
Cataliniovita
·
Published
2026-04-03
·
Updated
2026-04-06
·
CVE-2026-35166
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Hugo versions 0.60.0 through 0.159.1
Description
Hugo, a static site generator, has an issue where links and image links in the default markdown to HTML renderer are not properly escaped. Users who trust their Markdown content or have custom render hooks for links and images are not affected.
Recommendations
Update to version 0.159.2 or later.
Create custom render hooks for links and images in a Hugo theme/project.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hugo