GHSA-q76j-gcg9-vxc6: Hugo: XSS via unescaped code-fence language in default code block renderer
Hugo’s default code-block renderer wrote the Markdown code-fence language / info-string into the <code class="language-…" data-lang="…"> wrapper without HTML escaping. A fence info-string containing a quote and a <script> payload breaks out of the attribute and injects a live script element.
This is not an issue if you fully trust every file under /content and every content adapter you load.
References
Code Behaviors & Features
Detect and mitigate GHSA-q76j-gcg9-vxc6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →