Publish GHSA-mcv8-8m8x-48pg

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-mcv8-8m8x-48pg/GHSA-mcv8-8m8x-48pg.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mcv8-8m8x-48pg",
+  "modified": "2026-04-03T23:38:19Z",
+  "published": "2026-04-03T23:38:19Z",
+  "aliases": [
+    "CVE-2026-35166"
+  ],
+  "summary": "Hugo: Certain markdown links are not properly escaped",
+  "details": "### Impact\nLinks and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected.\n\n### Patches\nPatched in  v0.159.2\n\n### Workarounds\nCreate custom render hooks for links and images in a Hugo theme/project.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gohugoio/hugo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.60.0"
+            },
+            {
+              "fixed": "0.159.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gohugoio/hugo/commit/479fe6c654937a850b65e74551dc4e857d52898f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gohugoio/hugo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T23:38:19Z",
+    "nvd_published_at": null
+  }
+}