Medium severity5.4NVD Advisory· Published Apr 6, 2026· Updated Apr 20, 2026
CVE-2026-35166
CVE-2026-35166
Description
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gohugoio/hugoGo | >= 0.60.0, < 0.159.2 | 0.159.2 |
Affected products
4Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.