GHSA-q76j-gcg9-vxc6MediumDisclosed before NVD

Hugo: XSS via unescaped code-fence language in default code block renderer

Published
June 19, 2026
Last Modified
June 19, 2026

📋 Description

Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the <code class="language-…" data-lang="…"> wrapper without HTML escaping. A fence info-string containing a quote and a <script> payload breaks out of the attribute and injects a live script element.

This is not an issue if you fully trust every file under /content and every content adapter you load.

🎯 Affected products1

  • go/github.com/gohugoio/hugo:>= 0.60.0, < 0.163.3

🔗 References (2)