VYPR

Hugo

by Hugo

CVEs (3)

  • CVE-2026-58404Jul 7, 2026
    risk 0.00cvss epss

    Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same…

  • CVE-2026-58403Jul 7, 2026
    risk 0.00cvss epss

    Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a…

  • CVE-2026-58402Jul 7, 2026
    risk 0.00cvss epss

    Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a…