UBUNTU-CVE-2026-35166

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-35166

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-35166

Upstream

CVE-2026-35166

Published

2026-04-06T18:16:00Z

Modified

2026-05-20T16:25:35.729072161Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.

References

Affected packages

Ubuntu:16.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.15+git20160109.147.dd1d655-1

0.15+git20160109.147.dd1d655-2

0.15+git20160128.179.5def6d9-1

0.15+git20160206.203.ed23711-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.15+git20160206.203.ed23711-1",
            "binary_name": "golang-github-spf13-hugo-dev"
        },
        {
            "binary_version": "0.15+git20160206.203.ed23711-1",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"

Ubuntu:18.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.25.1-2

0.26-1

0.35-1

0.37.1-1

0.38-1

0.39-1

0.40-1

0.40.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.40.1-1",
            "binary_name": "golang-github-gohugoio-hugo-dev"
        },
        {
            "binary_version": "0.40.1-1",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"

Ubuntu:20.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.57.2-1

0.58.3-1

0.59.1-1.1

0.68.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.68.3-1",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"

Ubuntu:22.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.80.0-6

0.89.4-2

0.90.0-1

0.90.1-1

0.91.0-1

0.91.2-1

0.92.0-1

0.92.1-1build1

0.92.2-1

0.92.2-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.92.2-1ubuntu0.1",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"

Ubuntu:25.10

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.131.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.131.0-1",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"

Ubuntu:26.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.131.0-1

0.152.2-1

0.153.1-3

0.153.2-1

0.154.2-2

0.154.3-1

0.154.5-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.154.5-1",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"

Ubuntu:Pro:24.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.113.0-3

0.119.0-2

0.120.3-1

0.120.4-1

0.121.2-1

0.122.0-1

0.123.7-1build1

0.123.7-1ubuntu0.1

0.123.7-1ubuntu0.2

0.123.7-1ubuntu0.2+esm1

0.123.7-1ubuntu0.3

0.123.7-1ubuntu0.3+esm1

0.123.7-1ubuntu0.3+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.123.7-1ubuntu0.3+esm2",
            "binary_name": "hugo"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-35166.json"