CVE-2026-58402 in Hugo
Summary
by MITRE • 07/06/2026
Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/07/2026
This vulnerability affects Hugo static site generators version 0.60.0 through 0.163.3, where the default code-block renderer contains a critical security flaw in how it handles Markdown code fence information strings. The issue stems from insufficient HTML escaping during the rendering process of code blocks, specifically when processing the language identifier or info-string that follows the opening code fence. When a user inputs a code fence with an info-string containing a quote character followed by malicious script payload, the renderer fails to properly escape these special characters before embedding them into HTML attributes.
The technical flaw manifests in the class attribute and data-lang attribute handling within the generated HTML output. The renderer directly incorporates the raw info-string content without proper sanitization, creating an injection vulnerability that allows attackers to break out of HTML attribute boundaries. This vulnerability is classified under CWE-79 as Cross-Site Scripting (XSS) and specifically represents a DOM-based XSS attack vector where malicious script execution occurs in the browser context. The exploitation mechanism follows the standard XSS pattern where unescaped quotes in HTML attributes enable payload injection, allowing arbitrary JavaScript code to execute when users view the rendered static site.
The operational impact of this vulnerability is significant for Hugo users who generate content dynamically or accept user-submitted Markdown content. An attacker could craft malicious code fences that, when rendered by the vulnerable Hugo version, would inject executable scripts into the generated HTML output. This creates a persistent threat where any visitor accessing the compromised site could be subjected to various attacks including session hijacking, credential theft, or redirection to malicious domains. The vulnerability affects both the developer's own content and any user-contributed content that gets processed through the static site generation pipeline, making it particularly dangerous for collaborative platforms or content management systems built on Hugo.
The fix implemented in version 0.163.3 addresses this issue by introducing proper HTML escaping mechanisms for info-string content before embedding it into HTML attributes. This mitigation aligns with security best practices outlined in the OWASP Top Ten and follows the principle of input sanitization to prevent XSS attacks. Organizations should immediately upgrade to Hugo version 0.163.3 or later to resolve this vulnerability, while also implementing additional defensive measures such as content validation for user submissions and regular security auditing of generated static sites. The fix demonstrates the importance of proper output encoding in web applications and serves as a reminder that even static site generators can contain security vulnerabilities when processing dynamic user input without adequate sanitization measures. This vulnerability also maps to ATT&CK technique T1203 (Exploitation for Client Execution) and highlights the need for comprehensive security testing across all components of modern web application stacks including static site generation tools.