CVE-2026-35166 Overview
Hugo, a popular static site generator, contains a Cross-Site Scripting (XSS) vulnerability in its default Markdown to HTML renderer. From version 0.60.0 to before 0.159.2, links and image links are not properly escaped, potentially allowing attackers to inject malicious scripts into generated web pages. This vulnerability affects Hugo users who rely on untrusted Markdown content without implementing custom render hooks for links and images.
Critical Impact
Improper escaping of links and image links in Hugo's Markdown renderer can enable Cross-Site Scripting attacks, potentially compromising website visitors through malicious script injection.
Affected Products
- Hugo versions 0.60.0 through 0.159.1
- Hugo static site generator deployments using default Markdown rendering
- Websites built with Hugo processing untrusted Markdown content
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35166 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35166
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists in Hugo's default Markdown to HTML rendering pipeline, specifically in how the renderer processes link and image elements.
When Hugo converts Markdown content to HTML, the default renderer fails to properly escape special characters within link URLs and image source attributes. This oversight allows malicious actors to craft Markdown content containing JavaScript payloads that execute when the generated HTML is rendered in a victim's browser.
The network-based attack vector requires user interaction, as victims must visit a page containing the malicious content. The vulnerability impacts the confidentiality and integrity of secondary systems (the visitor's browser context) rather than the Hugo application itself.
Root Cause
The root cause stems from insufficient input sanitization in Hugo's Markdown parser when handling link and image elements. The default render hooks do not adequately escape URL schemes and special characters before outputting HTML, allowing attackers to inject executable JavaScript through crafted href or src attributes using techniques such as javascript: URI schemes or event handler injection.
Attack Vector
An attacker can exploit this vulnerability by submitting malicious Markdown content to a Hugo-based website that accepts user-generated content. The attack requires:
- A Hugo site running a vulnerable version (0.60.0 to 0.159.1)
- The site must process untrusted Markdown without custom render hooks
- A victim must view the rendered page containing the malicious content
When the crafted Markdown is processed by Hugo's default renderer, the improper escaping allows JavaScript to execute in the context of the victim's browser session, potentially leading to session hijacking, credential theft, or further malicious actions.
Detection Methods for CVE-2026-35166
Indicators of Compromise
- Presence of suspicious javascript: URI schemes in generated HTML link or image elements
- Unusual event handlers embedded within anchor or image tags in static HTML output
- Reports of unexpected script execution or browser warnings when visiting Hugo-generated pages
- Markdown files containing encoded or obfuscated payloads in link definitions
Detection Strategies
- Audit generated HTML files for improperly escaped link and image attributes
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Review web server logs for unusual patterns in user-submitted Markdown content
- Deploy web application firewalls (WAF) with XSS detection rulesets
Monitoring Recommendations
- Enable browser-side XSS auditing and monitor for triggered warnings
- Set up automated scanning of Hugo build output for XSS patterns before deployment
- Monitor user-submitted content for suspicious link or image Markdown syntax
- Implement real-time alerting on CSP violation reports
How to Mitigate CVE-2026-35166
Immediate Actions Required
- Upgrade Hugo to version 0.159.2 or later immediately
- Implement custom render hooks for links and images to enforce proper escaping
- Review and audit any user-generated Markdown content for malicious payloads
- Deploy Content Security Policy headers to mitigate XSS impact
Patch Information
The vulnerability is fixed in Hugo version 0.159.2. Users should upgrade to this version or later to address the improper escaping issue. For detailed information about the security fix, refer to the GitHub Security Advisory.
Workarounds
- Implement custom render hooks for links and images that properly sanitize and escape all attributes
- Only process Markdown content from trusted sources until the upgrade is applied
- Deploy Content Security Policy headers with strict script-src directives to block inline JavaScript execution
- Consider using an external Markdown sanitization library as a pre-processing step
# Upgrade Hugo to patched version
# Using Go
go install github.com/gohugoio/hugo@v0.159.2
# Using Homebrew (macOS)
brew upgrade hugo
# Verify installed version
hugo version
# Ensure output shows v0.159.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
