XSS in Gohugoio Hugo

CVE-2026-58402

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info…

Vulnerability class: XSS (Cross-Site Scripting)

Affected products

Weakness classification (CWE)

References