CVE-2026-35166
Received Received - Intake
Improper Escaping in Hugo Markdown Renderer Allows XSS

Publication date: 2026-04-06

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35166
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
gohugo hugo From 0.60.0 (inc) to 0.159.2 (exc)
gohugo hugo From 0.60.0 (inc) to 0.159.2 (exc)
gohugo hugo From 0.60.0 (inc) to 0.159.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35166 is a vulnerability in the Hugo static site generator affecting versions from 0.60.0 up to but not including 0.159.2. The issue arises because links and image links in Hugo's default Markdown to HTML renderer are not properly escaped. This improper escaping can lead to security problems when rendering Markdown content.

Users who trust their Markdown content or who use custom render hooks for links and images are not affected by this vulnerability. The problem was fixed in version 0.159.2.

Impact Analysis

This vulnerability can potentially lead to security issues when rendering Markdown content in Hugo. Because links and image links are not properly escaped, maliciously crafted Markdown could exploit this flaw.

However, the severity is classified as low, and users who either trust their Markdown content or use custom render hooks for links and images are not impacted.

Detection Guidance

This vulnerability involves improper escaping of links and image links in Hugo's default Markdown to HTML renderer in versions from 0.60.0 to before 0.159.2.

To detect if your system is affected, first verify the Hugo version in use.

  • Run the command `hugo version` to check the installed Hugo version.

If the version is between 0.60.0 and before 0.159.2, your system is potentially vulnerable.

Since the vulnerability relates to Markdown rendering, you can also review your Markdown content and rendering behavior, especially if you do not use custom render hooks for links and images.

Mitigation Strategies

The vulnerability is fixed in Hugo version 0.159.2.

  • Upgrade your Hugo installation to version 0.159.2 or later.
  • If upgrading is not immediately possible, implement custom render hooks for links and images in your Hugo themes or projects to avoid the improper escaping issue.

Additionally, ensure that you only use trusted Markdown content to reduce risk.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart