Primary

Context

Hugo Markdown Renderer Link Escaping Vulnerability

Vulnerability

Patched

A vulnerability exists in Hugo, a static site generator, in versions 0.60.0 prior to 0.159.2. The issue arises because links and image links are not properly escaped in the default markdown to HTML renderer. This vulnerability affects users who trust their Markdown content or have custom render hooks for links and images.

Impact

The vulnerability can lead to improper handling of links and images, potentially allowing for injection attacks or other exploitation methods that take advantage of the escaping issue.

Remediation

Users can upgrade to Hugo version 0.159.2 or later to address this vulnerability. Alternatively, custom render hooks for links and images can be created in the Hugo theme or project.

Added: Apr 6, 2026, 6:25 PM

Updated: Apr 6, 2026, 6:25 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

4.7

remediation

8.3

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

4.7

remediation

8.3

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hugo Markdown Renderer Link Escaping Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Hugo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating