Upstream information
Description
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CVSS detail | SUSE |
|---|---|
| Base Score | 4.6 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
| CVSS detail | CNA (GitHub) | SUSE |
|---|---|---|
| Base Score | 5.3 | 5.3 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Attack Requirements | None | None |
| Privileges Required | None | None |
| User Interaction | Passive | Passive |
| Vulnerable System Confidentiality Impact | None | None |
| Vulnerable System Integrity Impact | None | None |
| Vulnerable System Availability Impact | None | None |
| Subsequent System Confidentiality Impact | Low | Low |
| Subsequent System Integrity Impact | Low | Low |
| Subsequent System Availability Impact | None | None |
| CVSSv4 Version | 4.0 | 4.0 |
SUSE Timeline for this CVE
CVE page created: Mon Apr 6 22:00:30 2026CVE page last modified: Tue Apr 14 21:54:35 2026