Date: Fri, 29 May 2026 21:33:40 +0000 From: Fernando Apeste=?utf-8?Q?gu=C3=ADa?= <fernape@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 0a0abf3f77d1 - main - security/vuxml: Add www/gohugo vulnerabilities Message-ID: <6a1a0634.394a8.4699ce02@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=0a0abf3f77d18d9e187406155951539119042535 commit 0a0abf3f77d18d9e187406155951539119042535 Author: Fernando ApesteguĂa <fernape@FreeBSD.org> AuthorDate: 2026-05-29 21:32:42 +0000 Commit: Fernando ApesteguĂa <fernape@FreeBSD.org> CommitDate: 2026-05-29 21:33:24 +0000 security/vuxml: Add www/gohugo vulnerabilities * CVE-2026-39826 * CVE-2026-39823 --- security/vuxml/vuln/2026.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml index b2e6c10a05a5..09a0bf67f6f3 100644 --- a/security/vuxml/vuln/2026.xml +++ b/security/vuxml/vuln/2026.xml @@ -1,3 +1,45 @@ + <vuln vid="20d59b47-5ba3-11f1-bf1b-b42e991fc52e"> + <topic>www/gohugo -- CWE-79: XSS vulnerabilities</topic> + <affects> + <package> + <name>gohugo</name> + <range><lt>0.162.0,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>https://go.dev/issue/78913 reports:</p> + <blockquote cite="https://go.dev/issue/78913">; + <p> + CVE-2026-27142 fixed a vulnerability in which URLs were + not correctly escaped inside of a <meta> tag's + <content> attribute. If the URL content were to + insert ASCII whitespaces around the '=' rune inside of the + <content> attribute, the escaper would fail to + similarly escape it, leading to XSS. + </p> + <p> + If a trusted template author were to write a <script> + tag containing an empty 'type' attribute or a 'type' + attribute with an ASCII whitespace, the execution of the + template would incorrectly escape any data passed into the + <script> block. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2026-39823</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2026-39823</url>; + <cvename>CVE-2026-39826</cvename> + <url>https://cveawg.mitre.org/api/cve/CVE-2026-39826</url>; + </references> + <dates> + <discovery>2026-05-07</discovery> + <entry>2026-05-29</entry> + </dates> + </vuln> + <vuln vid="2eb8a9ab-5b5d-11f1-8607-8447094a420f"> <topic>MariaDB -- Multiple vulnerabilities</topic> <affects>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a1a0634.394a8.4699ce02>