Please read Hugo's Security Model first. If the issue reproduces in an upstream project, please report it there — we cannot triage or patch on their behalf.

If, after the above, you believe you have found a vulnerability in Hugo itself with a concrete, reproducible impact, report it privately to bjorn.erik.pedersen@gmail.com. Include a minimal reproducer, the Hugo version, and the observed vs. expected behavior.

You should receive an initial response within a few days. Confirmed issues are typically patched within days, depending on complexity.