XSS in Gohugoio Hugo

CVE-2024-55601

Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.004 (59.8th percentile) — read the EPSS interpretation.

Affected products

Gohugoio Hugo — versions >= 0.123.0, < 0.139.4

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx (x_refsource_CONFIRM)
https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0 (x_refsource_MISC)
https://github.com/gohugoio/hugo/releases/tag/v0.139.4 (x_refsource_MISC)
https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault (x_refsource_MISC)