Every CVE whose affected-product data names Gohugo Hugo, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2026-44301 — CVSS 8.1 (high): Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS…
CVE-2020-26284 — CVSS 7.7 (high): Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of…
CVE-2026-58404 — CVSS 6.8 (medium): Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback…
CVE-2026-58403 — CVSS 6.5 (medium): Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot…
CVE-2026-50133 — CVSS 6.1 (medium): Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html…
CVE-2026-50134 — CVSS 5.8 (medium): Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with…
CVE-2026-50135 — CVSS 5.5 (medium): Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of…
CVE-2026-58402 — CVSS 5.4 (medium): Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or…
CVE-2026-35166 — CVSS 5.4 (medium): Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not…