CVE-2026-58402
Received Received - Intake

XSS via Unescaped Code Block Language in Hugo

Vulnerability report for CVE-2026-58402, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
go_hugo hugo From 0.60.0 (inc) to 0.163.3 (inc)
gohugoio hugo From 0.60.0 (inc) to 0.163.3 (inc)
gohugoio hugo 0.163.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Hugo, a static site generator, where the default code-block renderer from versions 0.60.0 to 0.163.3 wrote the Markdown code-fence language (info-string) directly into the HTML code element's attributes without proper HTML escaping.

Because the language string was not escaped, an attacker could include a quote and a script payload in the info-string, which would break out of the attribute context and inject a live script element into the page, leading to a cross-site scripting (XSS) vulnerability.

This issue was fixed in version 0.163.3 by escaping the language attribute to prevent such script injection.

Impact Analysis

If you use a vulnerable version of Hugo and process untrusted Markdown content that includes malicious code-fence language strings, an attacker could inject and execute arbitrary JavaScript in the generated site.

This cross-site scripting (XSS) vulnerability can lead to unauthorized actions on behalf of users, theft of sensitive information such as cookies or session tokens, and compromise of site visitors' security.

However, if only trusted content is processed, the risk is minimal.

Detection Guidance

This vulnerability involves unescaped Markdown code-fence language strings in Hugo's default code-block renderer, which can lead to cross-site scripting (XSS) if malicious input is processed.

To detect this vulnerability on your system, you can check the version of Hugo you are running. Versions from 0.60.0 up to 0.163.2 are vulnerable, while version 0.163.3 and later include the fix.

You can run the following command to check your Hugo version:

  • hugo version

Additionally, to detect if your generated site contains unescaped code-fence language attributes that could be exploited, you can search the generated HTML files for suspicious code blocks containing script tags or unescaped quotes in the language attribute.

For example, you can use grep to find occurrences of <script> tags or suspicious attributes in your public site directory:

  • grep -r '<script' public/
  • grep -r 'language=".*[\"\'].*' public/

If you find such patterns in your generated HTML, it may indicate that the vulnerability is present and exploitable.

Mitigation Strategies

The primary mitigation step is to upgrade Hugo to version 0.163.3 or later, where the vulnerability has been fixed by properly escaping the language attribute in code block rendering.

If upgrading immediately is not possible, avoid processing untrusted Markdown content that could contain malicious code-fence language strings.

Review your content sources and ensure that only trusted content is processed by Hugo to reduce the risk of exploitation.

After upgrading, rebuild your site to ensure the fix is applied and verify that no unescaped script elements appear in your generated HTML.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart