XSS in Gohugoio Hugo

CVE-2026-35166

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (1.7th percentile) — read the EPSS interpretation.