Hugo released v0.163.1 this week. In the security column of its release notes: nothing. No patches, no advisories, no CVEs fixed. That's not negligence — it's a perfect record.
Zero Means Zero
Hugo has zero entries in the National Vulnerability Database. Not 'zero critical.' Not 'zero exploited.' Zero total. Across 11 years of releases, the NVD has never assigned a CVE to Hugo.
Why Hugo Is Different
Hugo is compiled Go. No plugins. No database. No runtime dependencies. No PHP interpreter. No JavaScript execution on the server. The attack surface is the Go binary itself — and Go's memory safety eliminates the buffer overflows that produce CVEs in C/C++ projects.
Every HTML page Hugo generates is a flat file served from a CDN. There is no server-side code path for an attacker to exploit. The security model is: there is nothing to attack.
The Tradeoff
Hugo isn't for every project. It's static-first — dynamic functionality requires external services or JavaScript. But for content sites, documentation, and marketing pages, the security argument is absolute: zero CVEs vs. thousands.
