VYPR
Vendor

Gohugoio

Products
1
CVEs
8
Across products
8
Status
Private

Products

1

Recent CVEs

8
  • CVE-2026-44301HigMay 12, 2026
    risk 0.46cvss 8.1epss 0.00

    Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an…

  • CVE-2024-32875MedApr 23, 2024
    risk 0.33cvss 6.1epss 0.01

    Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown…

  • CVE-2026-35166MedApr 6, 2026
    risk 0.28cvss 5.4epss 0.00

    Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This…

  • CVE-2024-55601MedDec 9, 2024
    risk 0.27cvss epss 0.01

    Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content…

  • CVE-2026-50135Jun 16, 2026
    risk 0.00cvss epss

    **Commit:** [f8b5fa09a6](https://github.com/gohugoio/hugo/commit/f8b5fa09a6) — _Fix prevention of direct symlink reads in resources.Get_ **Affected versions:** v0.123.0 through v0.161.1. Earlier versions are not affected. **Fixed in:** v0.162.0. **Severity:** Medium. Requires…

  • CVE-2026-50134Jun 16, 2026
    risk 0.00cvss epss

    **Commit:** [86fbb0f7a8](https://github.com/gohugoio/hugo/commit/86fbb0f7a8) — _security: Validate redirects against security.http.urls_ **Affected versions:** v0.91.0 (when `security.http.urls` was introduced) through v0.161.1. **Fixed in:** v0.162.0. **Severity:** Only…

  • CVE-2026-50133Jun 16, 2026
    risk 0.00cvss epss

    **Commit:** [e41a06447d](https://github.com/gohugoio/hugo/commit/e41a06447d) — _Disallow HTML content by default_ **Affected versions:** all Hugo versions prior to v0.162.0. **Fixed in:** v0.162.0. **Severity:** Low to Medium, depending on threat model. Not an issue if you…

  • CVE-2020-26284Dec 21, 2020
    risk 0.00cvss epss 0.01

    Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the…