Hugo XSS via unescaped codefence language 0.60.00.163.2
CVE-2026-58402 Published on July 6, 2026

Hugo default code block renderer XSS via unescaped code-fence language
Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-" data-lang="" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2026-58402 has been classified to as a XSS vulnerability or weakness.


Affected Versions

gohugoio hugo Version >= 0.60.0, < 0.163.3 is affected by CVE-2026-58402