CVE-2026-58402
Hugo (static site generator) from version 0.60.0 up to 0.163.3 is affected: its default code-block renderer writes the Markdown code-fence language/info-string into the code element wrapper (class="language-…", data-lang="…") without HTML escaping. A fence info-string containing a quote and a scr...