CVE-2026-35166

MEDIUM SEVERITY

Vulnerability Description

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.

Vulnerability Details

Published Date

April 03, 2026

Last Modified

April 07, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

Product

github.com/gohugoio/hugo

External References

https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg
https://github.com/gohugoio/hugo/commit/479fe6c654937a850b65e74551dc4e857d52898f
https://github.com/advisories/GHSA-mcv8-8m8x-48pg

CVE-2026-35166

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment