GHSA-mcv8-8m8x-48pg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mcv8-8m8x-48pg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mcv8-8m8x-48pg/GHSA-mcv8-8m8x-48pg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mcv8-8m8x-48pg
- Aliases
-
- CVE-2026-35166
- Published
- 2026-04-03T23:38:19Z
- Modified
- 2026-04-06T23:49:31.900964Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Hugo: Certain markdown links are not properly escaped
- Details
-
Impact
Links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected.
Patches
Patched in v0.159.2
Workarounds
Create custom render hooks for links and images in a Hugo theme/project.
- Database specific
{ "nvd_published_at": "2026-04-06T18:16:43Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2026-04-03T23:38:19Z" }- References
Affected packages
Go / github.com/gohugoio/hugo
Package
- Name
- github.com/gohugoio/hugo
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gohugoio/hugo