{"ecosystem":"go","package":"github.com/gohugoio/hugo","version":null,"bugs":[{"id":1330,"ecosystem":"go","package_name":"github.com/gohugoio/hugo","affected_version":null,"fixed_version":"0.79.1","bug_id":"osv:GHSA-8j34-9876-pvfq","title":"Hugo can execute a binary from the current directory on Windows","description":"## Impact\n\nHugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. However, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one.\n\nWindows users who run `hugo` inside untrusted Hugo sites are affected.\n\n## Patches\nUsers should upgrade to Hugo v0.79.1.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq","labels":["CVE-2020-26284"],"created_at":"2026-04-19T04:32:48.616258+00:00","updated_at":"2026-04-19T04:32:48.616258+00:00"},{"id":1335,"ecosystem":"go","package_name":"github.com/gohugoio/hugo","affected_version":"0.123.0","fixed_version":"0.139.4","bug_id":"osv:GO-2024-3314","title":"Hugo does not escape some attributes in internal templates in github.com/gohugoio/hugo","description":"Hugo does not escape some attributes in internal templates in github.com/gohugoio/hugo","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx","labels":["CVE-2024-55601","GHSA-c2xf-9v2r-r2rx"],"created_at":"2026-04-19T04:32:48.619173+00:00","updated_at":"2026-04-19T04:32:48.619173+00:00"},{"id":1334,"ecosystem":"go","package_name":"github.com/gohugoio/hugo","affected_version":"0.123.0","fixed_version":"0.125.3","bug_id":"osv:GO-2024-2747","title":"Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo","description":"Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj","labels":["CVE-2024-32875","GHSA-ppf8-hhpp-f5hj"],"created_at":"2026-04-19T04:32:48.618734+00:00","updated_at":"2026-04-19T04:32:48.618734+00:00"},{"id":1333,"ecosystem":"go","package_name":"github.com/gohugoio/hugo","affected_version":"0.123.0","fixed_version":"0.125.3","bug_id":"osv:GHSA-ppf8-hhpp-f5hj","title":"Hugo Markdown titles do not escaped in internal render hooks","description":"### Impact\n\nTitle argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.\n\n### Patches\n\nPatched in v0.125.3.\n\n### Workarounds\n\nReplace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault\n\n### References\n\nhttps://github.com/gohugoio/hugo/releases/tag/v0.125.3","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj","labels":["CVE-2024-32875","GO-2024-2747"],"created_at":"2026-04-19T04:32:48.618246+00:00","updated_at":"2026-04-19T04:32:48.618246+00:00"},{"id":1332,"ecosystem":"go","package_name":"github.com/gohugoio/hugo","affected_version":"0.60.0","fixed_version":"0.159.2","bug_id":"osv:GHSA-mcv8-8m8x-48pg","title":"Hugo: Certain markdown links are not properly escaped","description":"### Impact\nLinks and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected.\n\n### Patches\nPatched in  v0.159.2\n\n### Workarounds\nCreate custom render hooks for links and images in a Hugo theme/project.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg","labels":["CVE-2026-35166"],"created_at":"2026-04-19T04:32:48.617782+00:00","updated_at":"2026-04-19T04:32:48.617782+00:00"},{"id":1331,"ecosystem":"go","package_name":"github.com/gohugoio/hugo","affected_version":"0.123.0","fixed_version":"0.139.4","bug_id":"osv:GHSA-c2xf-9v2r-r2rx","title":"Hugo does not escape some attributes in internal templates","description":"## Impact\n\nSome HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates.\n\n* `_default/_markup/render-link.html` from `v0.123.0`\n* `_default/_markup/render-image.html` from `v0.123.0`\n* `_default/_markup/render-table.html` from `v0.134.0`\n* `shortcodes/youtube.html` from `v0.125.0`\n\n## Patches\n\nPatched in v0.139.4.\n\n## Workarounds\n\nReplace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault\n\n## References\n\n* https://github.com/gohugoio/hugo/releases/tag/v0.139.4\n* https://gohugo.io/about/security/\n\n\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx","labels":["CVE-2024-55601","GO-2024-3314"],"created_at":"2026-04-19T04:32:48.617267+00:00","updated_at":"2026-04-19T04:32:48.617267+00:00"}],"total":6,"_cache":"miss"}