CVE-2026-35166

EUVD-2026-19414
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
hugo
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
0.159.2-1
fixed
sid
0.159.2-1
fixed
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg