CVE-2026-58402

Source
https://cve.org/CVERecord?id=CVE-2026-58402
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58402.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58402
Aliases
Downstream
Published
2026-07-06T19:19:58.754Z
Modified
2026-07-09T04:02:36.004712020Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Hugo default code block renderer XSS via unescaped code-fence language
Details

Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58402.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/gohugoio/hugo

Affected ranges

Type
GIT
Repo
https://github.com/gohugoio/hugo
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.60.0"
        },
        {
            "fixed": "0.163.3"
        }
    ]
}

Affected versions

v0.*
v0.100.0
v0.100.1
v0.100.2
v0.101.0
v0.102.0
v0.102.3
v0.103.1
v0.104.0
v0.104.1
v0.104.2
v0.104.3
v0.105.0
v0.106.0
v0.107.0
v0.108.0
v0.109.0
v0.110.0
v0.111.1
v0.111.2
v0.111.3
v0.112.0
v0.112.1
v0.112.2
v0.112.3
v0.112.4
v0.112.6
v0.112.7
v0.113.0
v0.114.0
v0.115.0
v0.115.1
v0.115.2
v0.115.3
v0.115.4
v0.116.0
v0.116.1
v0.118.0
v0.118.1
v0.118.2
v0.119.0
v0.120.0
v0.120.1
v0.120.2
v0.120.3
v0.120.4
v0.121.0
v0.121.1
v0.121.2
v0.122.0
v0.123.1
v0.123.2
v0.123.3
v0.123.4
v0.123.5
v0.123.6
v0.123.7
v0.123.8
v0.124.0
v0.124.1
v0.125.0
v0.125.1
v0.125.2
v0.125.4
v0.125.5
v0.125.6
v0.125.7
v0.126.0
v0.126.1
v0.126.3
v0.127.0
v0.128.0
v0.128.1
v0.128.2
v0.129.0
v0.130.0
v0.131.0
v0.132.0
v0.132.1
v0.132.2
v0.133.0
v0.133.1
v0.134.0
v0.134.1
v0.134.2
v0.134.3
v0.135.0
v0.136.0
v0.136.1
v0.136.2
v0.136.3
v0.136.5
v0.137.0
v0.137.1
v0.138.0
v0.139.0
v0.139.1
v0.139.2
v0.139.3
v0.139.4
v0.140.0
v0.140.1
v0.140.2
v0.141.0
v0.142.0
v0.143.0
v0.143.1
v0.144.0
v0.144.1
v0.145.0
v0.146.0
v0.146.1
v0.146.2
v0.146.3
v0.146.4
v0.146.5
v0.146.6
v0.146.7
v0.147.0
v0.147.1
v0.147.2
v0.147.3
v0.147.5
v0.147.6
v0.147.7
v0.147.8
v0.147.9
v0.148.0
v0.148.1
v0.148.2
v0.149.0
v0.149.1
v0.150.0
v0.150.1
v0.151.0
v0.151.1
v0.152.0
v0.152.1
v0.152.2
v0.153.0
v0.153.1
v0.153.2
v0.153.3
v0.153.4
v0.153.5
v0.154.0
v0.154.1
v0.154.2
v0.154.3
v0.154.4
v0.154.5
v0.155.0
v0.155.1
v0.155.2
v0.155.3
v0.156.0
v0.157.0
v0.158.0
v0.159.0
v0.159.1
v0.159.2
v0.160.0
v0.160.1
v0.161.0
v0.161.1
v0.162.0
v0.162.1
v0.163.0
v0.163.1
v0.163.2
v0.60.0
v0.60.1
v0.61.0
v0.62.0
v0.62.1
v0.62.2
v0.63.0
v0.63.1
v0.63.2
v0.64.0
v0.64.1
v0.65.0
v0.65.1
v0.65.2
v0.65.3
v0.66.0
v0.67.0
v0.67.1
v0.68.0
v0.68.1
v0.68.2
v0.68.3
v0.69.0
v0.69.1
v0.69.2
v0.70.0
v0.71.0
v0.71.1
v0.72.0
v0.74.0
v0.74.1
v0.74.2
v0.74.3
v0.75.0
v0.75.1
v0.76.0
v0.76.1
v0.76.2
v0.76.4
v0.77.0
v0.78.0
v0.78.1
v0.78.2
v0.79.0
v0.80.0
v0.81.0
v0.82.0
v0.83.0
v0.83.1
v0.84.0
v0.84.1
v0.84.2
v0.84.3
v0.84.4
v0.85.0
v0.86.0
v0.87.0
v0.88.0
v0.88.1
v0.89.0
v0.89.1
v0.89.2
v0.89.3
v0.89.4
v0.90.0
v0.90.1
v0.91.0
v0.91.1
v0.91.2
v0.92.0
v0.92.1
v0.92.2
v0.93.0
v0.93.1
v0.93.2
v0.93.3
v0.94.0
v0.94.1
v0.94.2
v0.95.0
v0.97.0
v0.97.1
v0.97.2
v0.97.3
v0.98.0
v0.99.0
v0.99.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58402.json"