Security: gohugoio/hugo
Security Advisories
View information about security vulnerabilities from this repository's maintainers.
-
XSS via unescaped code-fence language in default code block rendererGHSA-q76j-gcg9-vxc6 published
Jun 18, 2026 by bepModerate -
security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)GHSA-r46f-3rpw-hxrv published
Jun 18, 2026 by bepModerate -
Symlink confinement bypass in os.ReadFileGHSA-c3wq-j5vh-68rc published
Jun 18, 2026 by bepModerate -
Symlink confinement bypass in resources.GetGHSA-fw87-fv5r-9fpw published
May 28, 2026 by bepModerate -
security.http.urls allow-list bypass via HTTP redirectsGHSA-vxgm-5rmg-5w8g published
May 28, 2026 by bepModerate -
XSS via text/html content filesGHSA-c54g-xjwj-8g82 published
May 28, 2026 by bepModerate -
Some markdown links not properly escapedGHSA-mcv8-8m8x-48pg published
Apr 1, 2026 by bepLow -
Some attributes not escaped in internal templatesGHSA-c2xf-9v2r-r2rx published
Dec 9, 2024 by bepLow -
Node tool execution allows file system access outside the project directoryGHSA-x597-9fr4-5857 published
Apr 28, 2026 by bepModerate -
Markdown title not escaped in internal render hooksGHSA-ppf8-hhpp-f5hj published
Apr 23, 2024 by bepLow