Nixpkgs security tracker

Untriaged

Permalink CVE-2026-35166

created 1 week, 1 day ago

Hugo does not properly escape some Markdown links

Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.

References

https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg x_refsource_CONFIRM

Affected products

hugo

==>= 0.60.0, < 0.159.2

Matching in nixpkgs

pkgs.hugo

Fast and modern static website engine

nixos-unstable 0.159.0
- nixpkgs-unstable 0.159.2
- nixos-unstable-small 0.159.2
nixos-25.11 0.152.2
- nixos-25.11-small 0.152.2
- nixpkgs-25.11-darwin 0.152.2

pkgs.ghosttohugo

Convert Ghost export to Hugo posts

nixos-unstable 0.5.3
- nixpkgs-unstable 0.5.3
- nixos-unstable-small 0.5.3
nixos-25.11 0.5.3
- nixos-25.11-small 0.5.3
- nixpkgs-25.11-darwin 0.5.3

pkgs.vscode-extensions.budparr.language-hugo-vscode

Adds syntax highlighting and snippets to Hugo files in VS Code

nixos-unstable 1.3.1
- nixpkgs-unstable 1.3.1
- nixos-unstable-small 1.3.1
nixos-25.11 1.3.1
- nixos-25.11-small 1.3.1
- nixpkgs-25.11-darwin 1.3.1

Package maintainers

@clerie clerie <nix@clerie.de>
@Br1ght0ne Oleksii Filonenko <brightone@protonmail.com>
@schneefux schneefux <schneefux+nixos_pkg@schneefux.xyz>
@Frostman Sergei Lukianov <me@slukjanov.name>
@FedericoSchonborn Federico Damián Schonborn <federicoschonborn@disroot.org>
@ohheyrj ohheyrj <richard@ohheyrj.co.uk>

Suggestions search