Upstream information
Description
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.SUSE information
Overall state of this security issue: Does not affect SUSE products
SUSE Bugzilla entry: 1262105 [NEW] No SUSE Security Announcements cross referenced.SUSE Timeline for this CVE
CVE page created: Mon Apr 6 22:00:30 2026CVE page last modified: Fri May 8 12:08:57 2026