github.com/gohugoio/hugo
Go10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting github.com/gohugoio/hugopage 1 of 1
- CVE-2020-26284HIGHCVSS 7.7EG 7.7✓ Fixed in 0.79.12020-12-21
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before versio…
- CVE-2024-32875MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.125.32024-04-23
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks en…
- CVE-2024-55601MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.139.42024-12-09
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users …
- CVE-2026-35166MEDIUMCVSS 5.4EG 5.4✓ Fixed in 0.159.22026-04-06
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and …
- CVE-2026-44301HIGHCVSS 8.1EG 8.1✓ Fixed in 0.161.02026-05-12
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. …
- CVE-2026-50133MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.162.02026-06-16
Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets conte…
- CVE-2026-50134MEDIUMCVSS 5.8EG 5.8✓ Fixed in 0.162.02026-06-16
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker…
- CVE-2026-50135MEDIUMCVSS 5.5EG 5.5✓ Fixed in 0.162.02026-06-16
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the…
- CVE-2026-58403MEDIUMCVSS 6.5EG 6.5✓ Fixed in 0.163.12026-07-06
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which foll…
- CVE-2026-58404MEDIUMCVSS 6.8EG 6.8✓ Fixed in 0.163.12026-07-06
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alte…
Check whether github.com/gohugoio/hugo is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/gohugoio/hugo CVEs against the assets you own.
Start Free Scan →