DEBIAN-CVE-2026-35166

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-35166

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35166.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-35166

Upstream

CVE-2026-35166

Published

2026-04-06T18:16:43.060Z

Modified

2026-04-28T20:31:42.478683Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.

References

https://security-tracker.debian.org/tracker/CVE-2026-35166

Affected packages

Debian:11 / hugo

Package

Name: hugo
Purl: pkg:deb/debian/hugo?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.80.0-6

0.80.0-6+deb11u1

0.81.0-1

0.82.0-1

0.82.1-1

0.83.0-1

0.83.1-1

0.84.0-1

0.84.1-1

0.84.2-1

0.84.3-1

0.84.4-1

0.85.0-1

0.86.0-1

0.86.1-1

0.86.1-2

0.87.0-1

0.88.0-1

0.88.1-1

0.89.0-1

0.89.1-1

0.89.2-1

0.89.3-1

0.89.4-1

0.89.4-2

0.90.0-1

0.90.1-1

0.91.0-1

0.91.2-1

0.92.0-1

0.92.1-1

0.92.2-1

0.93.0-1

0.93.3-1

0.94.2-1

0.95.0-1

0.96.0-1

0.97.3-1

0.98.0-1

0.99.1-1

0.100.1-1

0.100.2-1

0.101.0-1

0.101.0-2

0.102.1-1

0.102.1-2

0.102.2-1

0.102.3-1

0.103.0-1

0.103.1-1

0.104.0-1

0.104.1-1

0.104.1-2

0.104.2-1~bpo11+1

0.104.2-1

0.104.2-2

0.104.3-1~bpo11+1

0.104.3-1

0.105.0-1

0.105.0-2

0.106.0-1

0.107.0-1

0.108.0-1

0.109.0-1

0.110.0-1

0.111.2-1

0.111.3-1

0.112.7-1

0.113.0-1

0.113.0-2

0.113.0-3

0.114.1-1

0.114.1-2

0.115.4-1

0.116.1-1

0.117.0-1

0.118.2-1

0.119.0-1

0.119.0-2

0.120.3-1

0.120.4-1

0.121.1-1

0.121.2-1

0.122.0-1

0.123.3-1

0.123.7-1

0.123.8-1

0.123.8-2

0.124.1-1

0.125.4-1

0.125.5-1

0.125.6-1

0.125.7-1

0.126.1-1

0.126.2-1

0.126.3-1

0.127.0-1

0.128.2-1

0.128.2-2

0.129.0-1

0.129.0-2

0.130.0-1

0.130.0-2

0.131.0-1

0.131.0-2

0.150.0-1

0.150.1-1

0.151.0-1

0.151.1-1

0.151.2-1

0.152.1-1

0.152.2-1

0.153.0-1

0.153.1-1

0.153.1-2

0.153.1-3

0.153.2-1

0.154.1-1

0.154.2-1

0.154.2-2

0.154.3-1

0.154.5-1

0.155.1-1

0.155.2-1

0.155.3-1

0.157.0-1

0.157.0-2

0.157.0-3

0.158.0-1

0.158.0-2

0.158.0-3

0.159.0-1

0.159.1-1

0.159.2-1

0.160.0-1

0.160.0-2

0.160.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35166.json"

Debian:12 / hugo

Package

Name: hugo
Purl: pkg:deb/debian/hugo?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.111.3-1

0.112.7-1

0.113.0-1

0.113.0-2

0.113.0-3

0.114.1-1

0.114.1-2

0.115.4-1

0.116.1-1

0.117.0-1

0.118.2-1

0.119.0-1

0.119.0-2

0.120.3-1

0.120.4-1

0.121.1-1

0.121.2-1

0.122.0-1

0.123.3-1

0.123.7-1

0.123.8-1

0.123.8-2

0.124.1-1

0.125.4-1

0.125.5-1

0.125.6-1

0.125.7-1

0.126.1-1

0.126.2-1

0.126.3-1

0.127.0-1

0.128.2-1

0.128.2-2

0.129.0-1

0.129.0-2

0.130.0-1

0.130.0-2

0.131.0-1

0.131.0-2

0.150.0-1

0.150.1-1

0.151.0-1

0.151.1-1

0.151.2-1

0.152.1-1

0.152.2-1

0.153.0-1

0.153.1-1

0.153.1-2

0.153.1-3

0.153.2-1

0.154.1-1

0.154.2-1

0.154.2-2

0.154.3-1

0.154.5-1

0.155.1-1

0.155.2-1

0.155.3-1

0.157.0-1

0.157.0-2

0.157.0-3

0.158.0-1

0.158.0-2

0.158.0-3

0.159.0-1

0.159.1-1

0.159.2-1

0.160.0-1

0.160.0-2

0.160.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35166.json"

Debian:13 / hugo

Package

Name: hugo
Purl: pkg:deb/debian/hugo?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.131.0-1

0.131.0-2

0.150.0-1

0.150.1-1

0.151.0-1

0.151.1-1

0.151.2-1

0.152.1-1

0.152.2-1

0.153.0-1

0.153.1-1

0.153.1-2

0.153.1-3

0.153.2-1

0.154.1-1

0.154.2-1

0.154.2-2

0.154.3-1

0.154.5-1

0.155.1-1

0.155.2-1

0.155.3-1

0.157.0-1

0.157.0-2

0.157.0-3

0.158.0-1

0.158.0-2

0.158.0-3

0.159.0-1

0.159.1-1

0.159.2-1

0.160.0-1

0.160.0-2

0.160.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35166.json"

Debian:14 / hugo

Package

Name: hugo
Purl: pkg:deb/debian/hugo?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.159.2-1

Affected versions

0.*

0.131.0-1

0.131.0-2

0.150.0-1

0.150.1-1

0.151.0-1

0.151.1-1

0.151.2-1

0.152.1-1

0.152.2-1

0.153.0-1

0.153.1-1

0.153.1-2

0.153.1-3

0.153.2-1

0.154.1-1

0.154.2-1

0.154.2-2

0.154.3-1

0.154.5-1

0.155.1-1

0.155.2-1

0.155.3-1

0.157.0-1

0.157.0-2

0.157.0-3

0.158.0-1

0.158.0-2

0.158.0-3

0.159.0-1

0.159.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-35166.json"