๐Ÿ” CVE Alert

CVE-2026-58402

UNKNOWN 0.0

Hugo default code block renderer XSS via unescaped code-fence language

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-โ€ฆ" data-lang="โ€ฆ" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.

CWE CWE-79
Vendor gohugoio
Product hugo
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for gohugoio hugo

Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

gohugoio / hugo
>= 0.60.0, < 0.163.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6 github.com: https://github.com/gohugoio/hugo/pull/15051 github.com: https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d github.com: https://github.com/gohugoio/hugo/releases/tag/v0.163.3