Description
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
Published: 2026-04-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Hugo, a widely used static site generator, failed to escape certain Markdown links and image links in its default renderer from version 0.60.0 through just before 0.159.2. This flaw allows an attacker to embed raw HTML or JavaScript via malicious Markdown links when the content is rendered, potentially enabling cross‑site scripting attacks against visitors of the generated site. The vulnerability is most relevant for sites that trust untrusted Markdown input and do not employ custom rendering hooks.

Affected Systems

Vulnerable versions of the gohugoio Hugo product span from 0.60.0 up to 0.159.1, inclusive. Users who trust their Markdown content or use custom link and image render hooks are not affected. Any site that relies on the default rendering of untrusted Markdown falls under risk.

Risk and Exploitability

The vulnerability carries a CVSS base score of 5.3, denoting moderate severity, with no EPSS score available and it is not present in the CISA KEV catalog. Attackers can trigger the issue by injecting crafted Markdown containing malicious links or images into the Hugo build process, typically through content management systems or manual content editing, leading to execution of arbitrary client‑side code.

Generated by OpenCVE AI on April 6, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hugo to version 0.159.2 or later to rectify the escaping issue.
  • If an immediate upgrade is not feasible, restrict Markdown input to trusted sources and validate or sanitize links before rendering.
  • Verify any custom link or image rendering hooks to ensure they perform proper escaping.

Generated by OpenCVE AI on April 6, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mcv8-8m8x-48pg Hugo: Certain markdown links are not properly escaped
History

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gohugo:hugo:*:*:*:*:*:linux:*:*
cpe:2.3:a:gohugo:hugo:*:*:*:*:*:macos:*:*
cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gohugo
Gohugo hugo
Vendors & Products Gohugo
Gohugo hugo

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Moderate

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
Title Hugo does not properly escape some Markdown links
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gohugo Hugo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T18:02:37.432Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35166

cve-icon Vulnrichment

Updated: 2026-04-06T18:02:30.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T18:16:43.060

Modified: 2026-04-20T18:34:45.460

Link: CVE-2026-35166

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-06T17:37:05Z

Links: CVE-2026-35166 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:38:01Z

Weaknesses