CVE-2026-35166
Hugo does not properly escape some Markdown links
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
| CWE | CWE-79 |
| Vendor | gohugoio |
| Product | hugo |
| Published | Apr 6, 2026 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for gohugoio hugo
Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
gohugoio / hugo
>= 0.60.0, < 0.159.2