CVE-2026-35166: Hugo: Certain markdown links are not properly escaped

April 3, 2026 (updated April 6, 2026)

Links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected.

References

github.com/advisories/GHSA-mcv8-8m8x-48pg
github.com/gohugoio/hugo
github.com/gohugoio/hugo/commit/479fe6c654937a850b65e74551dc4e857d52898f
github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg
nvd.nist.gov/vuln/detail/CVE-2026-35166

Code Behaviors & Features

Detect and mitigate CVE-2026-35166 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →