Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    22 vulnerabilities by gohugoio

    CVE-2026-50135 (GCVE-0-2026-50135)

    Vulnerability from nvd – Published: 2026-07-06 19:52 – Updated: 2026-07-06 19:52
    VLAI
    Title
    Hugo: Symlink confinement bypass in resources.Get
    Summary
    Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.162.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.162.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made \u00a0RootMappingFs.statRoot\u00a0 use \u00a0Stat\u00a0 (follows symlinks) instead of \u00a0Lstat\u00a0, so a direct \u00a0resources.Get\u00a0 of a symlink pointing outside its mount returned the target\u0027s contents \u2014 letting a symlink planted in a local mount (e.g. a vendored \u00a0themes/\u00a0 theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:52:04.561Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
            }
          ],
          "source": {
            "advisory": "GHSA-fw87-fv5r-9fpw",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: Symlink confinement bypass in resources.Get"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50135",
        "datePublished": "2026-07-06T19:52:04.561Z",
        "dateReserved": "2026-06-03T18:49:32.275Z",
        "dateUpdated": "2026-07-06T19:52:04.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58404 (GCVE-0-2026-58404)

    Vulnerability from nvd – Published: 2026-07-06 19:16 – Updated: 2026-07-06 19:16
    VLAI
    Title
    Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
    Summary
    Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= v0.162.0, < v0.163.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= v0.162.0, \u003c v0.163.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:16:15.945Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv"
            },
            {
              "name": "https://github.com/gohugoio/hugo/pull/15020",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/pull/15020"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
            }
          ],
          "source": {
            "advisory": "GHSA-r46f-3rpw-hxrv",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58404",
        "datePublished": "2026-07-06T19:16:15.945Z",
        "dateReserved": "2026-06-30T18:19:58.379Z",
        "dateUpdated": "2026-07-06T19:16:15.945Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58403 (GCVE-0-2026-58403)

    Vulnerability from nvd – Published: 2026-07-06 19:25 – Updated: 2026-07-06 20:51
    VLAI
    Title
    Hugo symlink confinement bypass in os.ReadFile
    Summary
    Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.163.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58403",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:51:16.911843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:51:27.624Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.163.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo\u0027s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile \"somefile\" where somefile was a symlink pointing outside the mount would return the target\u0027s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:25:45.971Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc"
            },
            {
              "name": "https://github.com/gohugoio/hugo/pull/15020",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/pull/15020"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
            }
          ],
          "source": {
            "advisory": "GHSA-c3wq-j5vh-68rc",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo symlink confinement bypass in os.ReadFile"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58403",
        "datePublished": "2026-07-06T19:25:45.971Z",
        "dateReserved": "2026-06-30T18:19:58.379Z",
        "dateUpdated": "2026-07-06T20:51:27.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58402 (GCVE-0-2026-58402)

    Vulnerability from nvd – Published: 2026-07-06 19:19 – Updated: 2026-07-06 20:54
    VLAI
    Title
    Hugo default code block renderer XSS via unescaped code-fence language
    Summary
    Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.60.0, < 0.163.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58402",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:52:58.622823Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:54:38.775Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.60.0, \u003c 0.163.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo\u0027s default code-block renderer wrote the Markdown code-fence language or info-string into the code class=\"language-\u2026\" data-lang=\"\u2026\" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:19:58.754Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6"
            },
            {
              "name": "https://github.com/gohugoio/hugo/pull/15051",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/pull/15051"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3"
            }
          ],
          "source": {
            "advisory": "GHSA-q76j-gcg9-vxc6",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo default code block renderer XSS via unescaped code-fence language"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58402",
        "datePublished": "2026-07-06T19:19:58.754Z",
        "dateReserved": "2026-06-30T18:19:58.378Z",
        "dateUpdated": "2026-07-06T20:54:38.775Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50134 (GCVE-0-2026-50134)

    Vulnerability from nvd – Published: 2026-07-06 19:42 – Updated: 2026-07-06 19:42
    VLAI
    Title
    Hugo: security.http.urls allow-list bypass via HTTP redirects
    Summary
    Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.91.0, < 0.162.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.91.0, \u003c 0.162.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:42:49.280Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
            }
          ],
          "source": {
            "advisory": "GHSA-vxgm-5rmg-5w8g",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: security.http.urls allow-list bypass via HTTP redirects"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50134",
        "datePublished": "2026-07-06T19:42:49.280Z",
        "dateReserved": "2026-06-03T18:49:32.275Z",
        "dateUpdated": "2026-07-06T19:42:49.280Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50133 (GCVE-0-2026-50133)

    Vulnerability from nvd – Published: 2026-07-06 19:31 – Updated: 2026-07-06 19:31
    VLAI
    Title
    Hugo: XSS via text/html content files
    Summary
    Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: < 0.162.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.162.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = \"text/html\") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:31:50.237Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
            }
          ],
          "source": {
            "advisory": "GHSA-c54g-xjwj-8g82",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: XSS via text/html content files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50133",
        "datePublished": "2026-07-06T19:31:18.386Z",
        "dateReserved": "2026-06-03T18:49:32.275Z",
        "dateUpdated": "2026-07-06T19:31:50.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44301 (GCVE-0-2026-44301)

    Vulnerability from nvd – Published: 2026-05-12 21:37 – Updated: 2026-05-13 12:13
    VLAI
    Title
    Hugo: Node tool execution allows file system access outside the project directory
    Summary
    Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.43.0, < 0.161.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44301",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T12:12:51.322209Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T12:13:13.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.43.0, \u003c 0.161.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project\u0027s working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T21:37:52.825Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857"
            }
          ],
          "source": {
            "advisory": "GHSA-x597-9fr4-5857",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: Node tool execution allows file system access outside the project directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44301",
        "datePublished": "2026-05-12T21:37:52.825Z",
        "dateReserved": "2026-05-05T17:39:31.113Z",
        "dateUpdated": "2026-05-13T12:13:13.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35166 (GCVE-0-2026-35166)

    Vulnerability from nvd – Published: 2026-04-06 17:37 – Updated: 2026-04-06 18:02
    VLAI
    Title
    Hugo does not properly escape some Markdown links
    Summary
    Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.60.0, < 0.159.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-06T18:02:26.136376Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-06T18:02:37.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.60.0, \u003c 0.159.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-06T17:37:05.643Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg"
            }
          ],
          "source": {
            "advisory": "GHSA-mcv8-8m8x-48pg",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo does not properly escape some Markdown links"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35166",
        "datePublished": "2026-04-06T17:37:05.643Z",
        "dateReserved": "2026-04-01T17:26:21.133Z",
        "dateUpdated": "2026-04-06T18:02:37.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-55601 (GCVE-0-2024-55601)

    Vulnerability from nvd – Published: 2024-12-09 21:11 – Updated: 2024-12-10 17:13
    VLAI
    Title
    Hugo does not escape some attributes in internal templates
    Summary
    Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.139.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-55601",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-10T16:09:30.192956Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-10T17:13:48.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.139.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-09T21:11:10.463Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4"
            },
            {
              "name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
            }
          ],
          "source": {
            "advisory": "GHSA-c2xf-9v2r-r2rx",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo does not escape some attributes in internal templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-55601",
        "datePublished": "2024-12-09T21:11:10.463Z",
        "dateReserved": "2024-12-09T14:22:52.524Z",
        "dateUpdated": "2024-12-10T17:13:48.519Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32875 (GCVE-0-2024-32875)

    Vulnerability from nvd – Published: 2024-04-23 20:23 – Updated: 2024-08-02 02:20
    VLAI
    Title
    Hugo doesn't escape markdown title in internal render hooks
    Summary
    Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.125.3
    Create a notification for this product.
    gohugo hugo Affected: 0.123.0 , < 0.125.3 (custom)
        cpe:2.3:a:gohugo:hugo:0.123.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gohugo:hugo:0.123.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "hugo",
                "vendor": "gohugo",
                "versions": [
                  {
                    "lessThan": "0.125.3",
                    "status": "affected",
                    "version": "0.123.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32875",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-29T19:39:12.988615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:21.525Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.602Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
              },
              {
                "name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
              },
              {
                "name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.125.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-23T20:23:42.535Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
            },
            {
              "name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
            }
          ],
          "source": {
            "advisory": "GHSA-ppf8-hhpp-f5hj",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo doesn\u0027t escape markdown title in internal render hooks"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-32875",
        "datePublished": "2024-04-23T20:23:42.535Z",
        "dateReserved": "2024-04-19T14:07:11.229Z",
        "dateUpdated": "2024-08-02T02:20:35.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26284 (GCVE-0-2020-26284)

    Vulnerability from nvd – Published: 2020-12-21 22:40 – Updated: 2024-08-04 15:56
    VLAI
    Title
    Hugo can execute a binary from the current directory on Windows
    Summary
    Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: < 0.79.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:56:03.976Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/golang/go/issues/38736"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.79.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-21T22:40:15.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/golang/go/issues/38736"
            }
          ],
          "source": {
            "advisory": "GHSA-8j34-9876-pvfq",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo can execute a binary from the current directory on Windows",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-26284",
              "STATE": "PUBLIC",
              "TITLE": "Hugo can execute a binary from the current directory on Windows"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "hugo",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 0.79.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "gohugoio"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
                },
                {
                  "name": "https://github.com/golang/go/issues/38736",
                  "refsource": "MISC",
                  "url": "https://github.com/golang/go/issues/38736"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-8j34-9876-pvfq",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-26284",
        "datePublished": "2020-12-21T22:40:15.000Z",
        "dateReserved": "2020-10-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T15:56:03.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-50135 (GCVE-0-2026-50135)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:52 – Updated: 2026-07-06 19:52
    VLAI
    Title
    Hugo: Symlink confinement bypass in resources.Get
    Summary
    Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.162.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.162.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made \u00a0RootMappingFs.statRoot\u00a0 use \u00a0Stat\u00a0 (follows symlinks) instead of \u00a0Lstat\u00a0, so a direct \u00a0resources.Get\u00a0 of a symlink pointing outside its mount returned the target\u0027s contents \u2014 letting a symlink planted in a local mount (e.g. a vendored \u00a0themes/\u00a0 theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:52:04.561Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
            }
          ],
          "source": {
            "advisory": "GHSA-fw87-fv5r-9fpw",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: Symlink confinement bypass in resources.Get"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50135",
        "datePublished": "2026-07-06T19:52:04.561Z",
        "dateReserved": "2026-06-03T18:49:32.275Z",
        "dateUpdated": "2026-07-06T19:52:04.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50134 (GCVE-0-2026-50134)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:42 – Updated: 2026-07-06 19:42
    VLAI
    Title
    Hugo: security.http.urls allow-list bypass via HTTP redirects
    Summary
    Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.91.0, < 0.162.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.91.0, \u003c 0.162.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:42:49.280Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
            }
          ],
          "source": {
            "advisory": "GHSA-vxgm-5rmg-5w8g",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: security.http.urls allow-list bypass via HTTP redirects"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50134",
        "datePublished": "2026-07-06T19:42:49.280Z",
        "dateReserved": "2026-06-03T18:49:32.275Z",
        "dateUpdated": "2026-07-06T19:42:49.280Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50133 (GCVE-0-2026-50133)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:31 – Updated: 2026-07-06 19:31
    VLAI
    Title
    Hugo: XSS via text/html content files
    Summary
    Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: < 0.162.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.162.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = \"text/html\") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:31:50.237Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
            }
          ],
          "source": {
            "advisory": "GHSA-c54g-xjwj-8g82",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: XSS via text/html content files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50133",
        "datePublished": "2026-07-06T19:31:18.386Z",
        "dateReserved": "2026-06-03T18:49:32.275Z",
        "dateUpdated": "2026-07-06T19:31:50.237Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58403 (GCVE-0-2026-58403)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:25 – Updated: 2026-07-06 20:51
    VLAI
    Title
    Hugo symlink confinement bypass in os.ReadFile
    Summary
    Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-59 - Improper Link Resolution Before File Access ('Link Following')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.163.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58403",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:51:16.911843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:51:27.624Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.163.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo\u0027s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile \"somefile\" where somefile was a symlink pointing outside the mount would return the target\u0027s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-59",
                  "description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:25:45.971Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc"
            },
            {
              "name": "https://github.com/gohugoio/hugo/pull/15020",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/pull/15020"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
            }
          ],
          "source": {
            "advisory": "GHSA-c3wq-j5vh-68rc",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo symlink confinement bypass in os.ReadFile"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58403",
        "datePublished": "2026-07-06T19:25:45.971Z",
        "dateReserved": "2026-06-30T18:19:58.379Z",
        "dateUpdated": "2026-07-06T20:51:27.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58402 (GCVE-0-2026-58402)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:19 – Updated: 2026-07-06 20:54
    VLAI
    Title
    Hugo default code block renderer XSS via unescaped code-fence language
    Summary
    Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.60.0, < 0.163.3
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-58402",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T20:52:58.622823Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T20:54:38.775Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.60.0, \u003c 0.163.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo\u0027s default code-block renderer wrote the Markdown code-fence language or info-string into the code class=\"language-\u2026\" data-lang=\"\u2026\" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:19:58.754Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6"
            },
            {
              "name": "https://github.com/gohugoio/hugo/pull/15051",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/pull/15051"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3"
            }
          ],
          "source": {
            "advisory": "GHSA-q76j-gcg9-vxc6",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo default code block renderer XSS via unescaped code-fence language"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58402",
        "datePublished": "2026-07-06T19:19:58.754Z",
        "dateReserved": "2026-06-30T18:19:58.378Z",
        "dateUpdated": "2026-07-06T20:54:38.775Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-58404 (GCVE-0-2026-58404)

    Vulnerability from cvelistv5 – Published: 2026-07-06 19:16 – Updated: 2026-07-06 19:16
    VLAI
    Title
    Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
    Summary
    Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= v0.162.0, < v0.163.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= v0.162.0, \u003c v0.163.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-06T19:16:15.945Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv"
            },
            {
              "name": "https://github.com/gohugoio/hugo/pull/15020",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/pull/15020"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
            }
          ],
          "source": {
            "advisory": "GHSA-r46f-3rpw-hxrv",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-58404",
        "datePublished": "2026-07-06T19:16:15.945Z",
        "dateReserved": "2026-06-30T18:19:58.379Z",
        "dateUpdated": "2026-07-06T19:16:15.945Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44301 (GCVE-0-2026-44301)

    Vulnerability from cvelistv5 – Published: 2026-05-12 21:37 – Updated: 2026-05-13 12:13
    VLAI
    Title
    Hugo: Node tool execution allows file system access outside the project directory
    Summary
    Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.43.0, < 0.161.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44301",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T12:12:51.322209Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T12:13:13.152Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.43.0, \u003c 0.161.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project\u0027s working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 6.2,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-12T21:37:52.825Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857"
            }
          ],
          "source": {
            "advisory": "GHSA-x597-9fr4-5857",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo: Node tool execution allows file system access outside the project directory"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44301",
        "datePublished": "2026-05-12T21:37:52.825Z",
        "dateReserved": "2026-05-05T17:39:31.113Z",
        "dateUpdated": "2026-05-13T12:13:13.152Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-35166 (GCVE-0-2026-35166)

    Vulnerability from cvelistv5 – Published: 2026-04-06 17:37 – Updated: 2026-04-06 18:02
    VLAI
    Title
    Hugo does not properly escape some Markdown links
    Summary
    Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.60.0, < 0.159.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-35166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-06T18:02:26.136376Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-06T18:02:37.432Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.60.0, \u003c 0.159.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-06T17:37:05.643Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg"
            }
          ],
          "source": {
            "advisory": "GHSA-mcv8-8m8x-48pg",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo does not properly escape some Markdown links"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-35166",
        "datePublished": "2026-04-06T17:37:05.643Z",
        "dateReserved": "2026-04-01T17:26:21.133Z",
        "dateUpdated": "2026-04-06T18:02:37.432Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-55601 (GCVE-0-2024-55601)

    Vulnerability from cvelistv5 – Published: 2024-12-09 21:11 – Updated: 2024-12-10 17:13
    VLAI
    Title
    Hugo does not escape some attributes in internal templates
    Summary
    Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.139.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-55601",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-10T16:09:30.192956Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-10T17:13:48.519Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.139.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-12-09T21:11:10.463Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx"
            },
            {
              "name": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4"
            },
            {
              "name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
            }
          ],
          "source": {
            "advisory": "GHSA-c2xf-9v2r-r2rx",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo does not escape some attributes in internal templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-55601",
        "datePublished": "2024-12-09T21:11:10.463Z",
        "dateReserved": "2024-12-09T14:22:52.524Z",
        "dateUpdated": "2024-12-10T17:13:48.519Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-32875 (GCVE-0-2024-32875)

    Vulnerability from cvelistv5 – Published: 2024-04-23 20:23 – Updated: 2024-08-02 02:20
    VLAI
    Title
    Hugo doesn't escape markdown title in internal render hooks
    Summary
    Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: >= 0.123.0, < 0.125.3
    Create a notification for this product.
    gohugo hugo Affected: 0.123.0 , < 0.125.3 (custom)
        cpe:2.3:a:gohugo:hugo:0.123.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gohugo:hugo:0.123.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "hugo",
                "vendor": "gohugo",
                "versions": [
                  {
                    "lessThan": "0.125.3",
                    "status": "affected",
                    "version": "0.123.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-32875",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-29T19:39:12.988615Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:51:21.525Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:20:35.602Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
              },
              {
                "name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
              },
              {
                "name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.123.0, \u003c 0.125.3"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-80",
                  "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-23T20:23:42.535Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
            },
            {
              "name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
            },
            {
              "name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
            }
          ],
          "source": {
            "advisory": "GHSA-ppf8-hhpp-f5hj",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo doesn\u0027t escape markdown title in internal render hooks"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-32875",
        "datePublished": "2024-04-23T20:23:42.535Z",
        "dateReserved": "2024-04-19T14:07:11.229Z",
        "dateUpdated": "2024-08-02T02:20:35.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26284 (GCVE-0-2020-26284)

    Vulnerability from cvelistv5 – Published: 2020-12-21 22:40 – Updated: 2024-08-04 15:56
    VLAI
    Title
    Hugo can execute a binary from the current directory on Windows
    Summary
    Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gohugoio hugo Affected: < 0.79.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:56:03.976Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/golang/go/issues/38736"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "hugo",
              "vendor": "gohugoio",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.79.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-21T22:40:15.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/golang/go/issues/38736"
            }
          ],
          "source": {
            "advisory": "GHSA-8j34-9876-pvfq",
            "discovery": "UNKNOWN"
          },
          "title": "Hugo can execute a binary from the current directory on Windows",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2020-26284",
              "STATE": "PUBLIC",
              "TITLE": "Hugo can execute a binary from the current directory on Windows"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "hugo",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 0.79.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "gohugoio"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
                },
                {
                  "name": "https://github.com/golang/go/issues/38736",
                  "refsource": "MISC",
                  "url": "https://github.com/golang/go/issues/38736"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-8j34-9876-pvfq",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2020-26284",
        "datePublished": "2020-12-21T22:40:15.000Z",
        "dateReserved": "2020-10-01T00:00:00.000Z",
        "dateUpdated": "2024-08-04T15:56:03.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }