Browse all 4 CVE security advisories affecting gohugoio. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Hugo is a static site generator written in Go, designed to quickly create websites from content files. Historically, Hugo has faced vulnerabilities including remote code execution (RCE) through template processing, cross-site scripting (XSS) in content rendering, and privilege escalation in server configurations. The project maintains a security-focused approach with regular audits and prompt patching cycles. While Hugo has had four CVEs recorded, none have been classified as critical, reflecting the project's relatively secure architecture. The static nature of Hugo inherently reduces attack surfaces compared to dynamic web frameworks, though template processing and markdown parsing remain potential vectors for exploitation.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-35166 | Hugo does not properly escape some Markdown links — hugoCWE-79 | 6.4 | - | 2026-04-06 |
| CVE-2024-55601 | Hugo does not escape some attributes in internal templates — hugoCWE-79 | 5.4 | - | 2024-12-09 |
| CVE-2024-32875 | Hugo doesn't escape markdown title in internal render hooks — hugoCWE-80 | 6.1 | Medium | 2024-04-23 |
| CVE-2020-26284 | Hugo can execute a binary from the current directory on Windows — hugoCWE-78 | 7.7 | High | 2020-12-21 |
This page lists every published CVE security advisory associated with gohugoio. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.