github.com/gohugoio/hugo known bugs
go6 known bugs in github.com/gohugoio/hugo, with affected versions, fixes and workarounds. Sourced from upstream issue trackers.
6
bugs
Known bugs
| Severity | Affected | Fixed in | Title | Status | Source |
|---|---|---|---|---|---|
| high | any | 0.79.1 | Hugo can execute a binary from the current directory on Windows ## Impact
Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. However, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one.
Windows users who run `hugo` inside untrusted Hugo sites are affected.
## Patches
Users should upgrade to Hugo v0.79.1. | fixed | osv:GHSA-8j34-9876-pvfq |
| medium | 0.123.0 | 0.139.4 | Hugo does not escape some attributes in internal templates in github.com/gohugoio/hugo Hugo does not escape some attributes in internal templates in github.com/gohugoio/hugo | fixed | osv:GO-2024-3314 |
| medium | 0.123.0 | 0.125.3 | Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo | fixed | osv:GO-2024-2747 |
| medium | 0.123.0 | 0.125.3 | Hugo Markdown titles do not escaped in internal render hooks ### Impact
Title argument in Markdown for links and images not escaped in internal render hooks. Impacted are Hugo users who have these hooks enabled and do not trust their Markdown content files.
### Patches
Patched in v0.125.3.
### Workarounds
Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
### References
https://github.com/gohugoio/hugo/releases/tag/v0.125.3 | fixed | osv:GHSA-ppf8-hhpp-f5hj |
| medium | 0.60.0 | 0.159.2 | Hugo: Certain markdown links are not properly escaped ### Impact
Links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected.
### Patches
Patched in v0.159.2
### Workarounds
Create custom render hooks for links and images in a Hugo theme/project. | fixed | osv:GHSA-mcv8-8m8x-48pg |
| medium | 0.123.0 | 0.139.4 | Hugo does not escape some attributes in internal templates ## Impact
Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates.
* `_default/_markup/render-link.html` from `v0.123.0`
* `_default/_markup/render-image.html` from `v0.123.0`
* `_default/_markup/render-table.html` from `v0.134.0`
* `shortcodes/youtube.html` from `v0.125.0`
## Patches
Patched in v0.139.4.
## Workarounds
Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault
## References
* https://github.com/gohugoio/hugo/releases/tag/v0.139.4
* https://gohugo.io/about/security/
| fixed | osv:GHSA-c2xf-9v2r-r2rx |
API access
Get this data programmatically \u2014 free, no authentication.
curl https://depscope.dev/api/bugs/go/github.com/gohugoio/hugo