{"id":"CVE-2024-55601","summary":"Hugo does not escape some attributes in internal templates","details":"Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.","aliases":["GHSA-c2xf-9v2r-r2rx","GO-2024-3314"],"modified":"2026-04-10T05:18:36.594720Z","published":"2024-12-09T21:11:10.463Z","related":["openSUSE-SU-2024:14599-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55601.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/gohugoio/hugo/releases/tag/v0.139.4"},{"type":"WEB","url":"https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55601.json"},{"type":"ADVISORY","url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55601"},{"type":"FIX","url":"https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gohugoio/hugo","events":[{"introduced":"0"},{"fixed":"54398f8d572c689f9785d59e907fd910a23401b0"}]},{"type":"GIT","repo":"https://github.com/gohugoio/hugo","events":[{"introduced":"0"},{"fixed":"3afe91d4b1b069abbedd6a96ed755b1e12581dfe"}]}],"versions":["v0.10","v0.100.0","v0.100.1","v0.100.2","v0.101.0","v0.102.0","v0.102.3","v0.103.1","v0.104.0","v0.104.1","v0.104.2","v0.104.3","v0.105.0","v0.106.0","v0.107.0","v0.108.0","v0.109.0","v0.11","v0.110.0","v0.111.1","v0.111.2","v0.111.3","v0.112.0","v0.112.1","v0.112.2","v0.112.3","v0.112.4","v0.112.6","v0.112.7","v0.113.0","v0.114.0","v0.115.0","v0.115.1","v0.115.2","v0.115.3","v0.115.4","v0.116.0","v0.116.1","v0.118.0","v0.118.1","v0.118.2","v0.119.0","v0.12","v0.120.0","v0.120.1","v0.120.2","v0.120.3","v0.120.4","v0.121.0","v0.121.1","v0.121.2","v0.122.0","v0.123.1","v0.123.2","v0.123.3","v0.123.4","v0.123.5","v0.123.6","v0.123.7","v0.123.8","v0.124.0","v0.124.1","v0.125.0","v0.125.1","v0.125.2","v0.125.4","v0.125.5","v0.125.6","v0.125.7","v0.126.0","v0.126.1","v0.126.3","v0.127.0","v0.128.0","v0.128.1","v0.128.2","v0.129.0","v0.13","v0.130.0","v0.131.0","v0.132.0","v0.132.1","v0.132.2","v0.133.0","v0.133.1","v0.134.0","v0.134.1","v0.134.2","v0.134.3","v0.135.0","v0.136.0","v0.136.1","v0.136.2","v0.136.3","v0.136.5","v0.137.0","v0.137.1","v0.138.0","v0.139.0","v0.139.1","v0.139.2","v0.139.3","v0.14","v0.15","v0.16","v0.17","v0.18","v0.19","v0.20","v0.20.1","v0.20.4","v0.21","v0.22","v0.22.1","v0.23","v0.24","v0.25","v0.25.1","v0.26","v0.27","v0.27.1","v0.28","v0.29","v0.30","v0.30.1","v0.30.2","v0.31","v0.31.1","v0.32","v0.32.1","v0.32.2","v0.32.3","v0.32.4","v0.33","v0.34","v0.35","v0.36","v0.37","v0.37.1","v0.38","v0.38.1","v0.38.2","v0.39","v0.40","v0.40.1","v0.40.2","v0.42.1","v0.43","v0.44","v0.45","v0.45.1","v0.46","v0.47","v0.47.1","v0.48","v0.49","v0.50","v0.51","v0.52","v0.53","v0.54.0","v0.55.0","v0.55.1","v0.55.2","v0.55.3","v0.55.4","v0.55.5","v0.56.0","v0.56.2","v0.56.3","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.58.1","v0.58.2","v0.58.3","v0.59.0","v0.59.1","v0.60.0","v0.60.1","v0.61.0","v0.62.0","v0.62.1","v0.62.2","v0.63.0","v0.63.1","v0.63.2","v0.64.0","v0.64.1","v0.65.0","v0.65.1","v0.65.2","v0.65.3","v0.66.0","v0.67.0","v0.67.1","v0.68.0","v0.68.1","v0.68.2","v0.68.3","v0.69.0","v0.69.1","v0.69.2","v0.7","v0.70.0","v0.71.0","v0.71.1","v0.72.0","v0.74.0","v0.74.1","v0.74.2","v0.74.3","v0.75.0","v0.75.1","v0.76.0","v0.76.1","v0.76.2","v0.76.4","v0.77.0","v0.78.0","v0.78.1","v0.78.2","v0.79.0","v0.80.0","v0.81.0","v0.82.0","v0.83.0","v0.83.1","v0.84.0","v0.84.1","v0.84.2","v0.84.3","v0.84.4","v0.85.0","v0.86.0","v0.87.0","v0.88.0","v0.88.1","v0.89.0","v0.89.1","v0.89.2","v0.89.3","v0.89.4","v0.9","v0.90.0","v0.90.1","v0.91.0","v0.91.1","v0.91.2","v0.92.0","v0.92.1","v0.92.2","v0.93.0","v0.93.1","v0.93.2","v0.93.3","v0.94.0","v0.94.1","v0.94.2","v0.95.0","v0.97.0","v0.97.1","v0.97.2","v0.97.3","v0.98.0","v0.99.0","v0.99.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-55601.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}