Go modules package
github.com/gohugoio/hugo
pkg:golang/github.com/gohugoio/hugo
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-44301 | Hig | 8.1 | >= 0.43.0, < 0.161.0 | 0.161.0 | May 12, 2026 | Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an un | |
| CVE-2026-35166 | Med | 5.4 | >= 0.60.0, < 0.159.2 | 0.159.2 | Apr 6, 2026 | Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerabili | |
| CVE-2024-55601 | Med | — | >= 0.123.0, < 0.139.4 | 0.139.4 | Dec 9, 2024 | Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content f | |
| CVE-2024-32875 | Med | 6.1 | >= 0.123.0, < 0.125.3 | 0.125.3 | Apr 23, 2024 | Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown con | |
| CVE-2020-26284 | — | < 0.79.1 | 0.79.1 | Dec 21, 2020 | Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the sa |
- affected >= 0.43.0, < 0.161.0fixed 0.161.0
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an un
- affected >= 0.60.0, < 0.159.2fixed 0.159.2
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerabili
- affected >= 0.123.0, < 0.139.4fixed 0.139.4
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content f
- affected >= 0.123.0, < 0.125.3fixed 0.125.3
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown con
- CVE-2020-26284Dec 21, 2020affected < 0.79.1fixed 0.79.1
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the sa