CVE-2026-58402
Hugo default code block renderer XSS via unescaped code-fence language
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-โฆ" data-lang="โฆ" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
| CWE | CWE-79 |
| Vendor | gohugoio |
| Product | hugo |
| Published | Jul 6, 2026 |
| Last Updated | Jul 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for gohugoio hugo
Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
gohugoio / hugo
>= 0.60.0, < 0.163.3
References
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6 github.com: https://github.com/gohugoio/hugo/pull/15051 github.com: https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d github.com: https://github.com/gohugoio/hugo/releases/tag/v0.163.3