The Data Anomaly
WebPulse tracks CVE data from the National Vulnerability Database for 25 web frameworks. Twenty-three of them have recorded vulnerabilities. Two occupy a category of their own. Hugo, the Go-based static site generator, has zero CVEs — not zero critical, not zero in the last year. Zero total, across the entire NVD history. HTMX, the HTML-over-the-wire library, has zero critical CVEs. In a dataset where WordPress carries 18,321 CVEs and even modern frameworks like Next.js carry 92, zero is not a rounding error. It is an architectural signal.
Why Hugo Has Zero CVEs
Hugo's zero-CVE record is not the result of obscurity. Hugo has 16,743 detected sites in WebPulse's WARC scan and is actively maintained with ongoing releases. Its invulnerability is architectural. Hugo is a compiled Go binary that reads Markdown files, applies templates, and outputs static HTML, CSS, and JavaScript files. There is no runtime server. There is no database connection. There is no plugin system that can execute arbitrary code. There is no user-facing input processing on the generated site.
The attack surface of a Hugo-generated site is the attack surface of a web server serving static files — which is the attack surface of Nginx or Apache or Cloudflare's CDN, not of Hugo itself. Hugo's security boundary ends at build time. The compiled binary processes trusted input (the site owner's Markdown files and templates) and produces inert output (HTML files). There is no mechanism by which a remote attacker can interact with Hugo after the site is deployed. No SQL injection, no XSS through user input, no remote code execution through file uploads, no authentication bypass — because there is no SQL, no user input processing, no file uploads, and no authentication layer to bypass.
Why HTMX Minimizes Attack Surface
HTMX takes a different architectural approach to the same result. HTMX is a 14KB JavaScript library that extends HTML with attributes for making HTTP requests and swapping DOM elements. It does not manage state. It does not bundle a virtual DOM. It does not require a build step. The server handles all business logic and returns HTML fragments. The client is a thin rendering layer that does what browsers were originally designed to do: display HTML received from a server.
This architecture pushes the security boundary to the server framework (Django, FastAPI, Rails, Express) where security practices are mature and well-understood. HTMX itself does not process untrusted input, does not store data, and does not make security-relevant decisions. Its WebPulse security score of 95.0 (not 100.0 because it has a small number of non-critical CVEs) reflects a library that is architecturally resistant to the vulnerability classes that affect larger JavaScript frameworks.
Who Should Migrate to Zero-CVE Targets
Hugo and HTMX are not universal migration destinations. They solve specific problems for specific organizational profiles. Hugo is the migration target for content-heavy sites that currently run on WordPress, Drupal, or Gatsby — sites where the primary function is publishing authored content, not processing user transactions. Documentation sites, marketing sites, knowledge bases, and corporate blogs are natural Hugo candidates. The migration trades WordPress's 18,321 CVEs for Hugo's 0 CVEs while often reducing hosting costs by 60 to 80%.
HTMX is the migration target for server-rendered applications that have accumulated JavaScript framework complexity without needing it. Internal dashboards, admin panels, CRUD applications, and form-heavy workflows that were built with React or Vue but do not require client-side state management are HTMX candidates. The migration reduces the JavaScript bundle, eliminates the build step, and shifts security responsibility to a single server framework rather than distributing it across client and server stacks.
The Supply Chain Advantage
Beyond the CVE count itself, zero-CVE frameworks offer a supply chain advantage that compounds over time. Hugo has no npm dependencies — it is distributed as a single compiled binary. There are no transitive dependencies to audit, no package-lock.json to scan, no node_modules directory with 800 packages from unknown maintainers. HTMX is distributed as a single JavaScript file with no dependencies. The supply chain attack surface — which accounts for a growing share of web application compromises — is effectively zero for both frameworks. An organization deploying Hugo or HTMX cannot be compromised through a dependency it did not choose.
The Limitation
Zero-CVE frameworks achieve their security posture through constraint. Hugo cannot build a SaaS application. HTMX cannot build a real-time collaborative editor. Organizations that need rich client-side interactivity, complex state management, or offline-capable progressive web apps will not find those capabilities in Hugo or HTMX. The migration target must match the application's requirements, not just the security scorecard.
That said, WebPulse's WARC scan detected 7.4 million WordPress sites. A significant share of those sites — brochure pages, blogs, documentation, marketing content — fall squarely within Hugo's capability envelope. They run a framework with 18,321 CVEs to serve content that could be served with zero CVEs. The migration is not a compromise. For content sites, it is an upgrade on every dimension WebPulse measures: security (25.0 to 100.0), AI-readiness (35.0 to 88.0), and performance (static files outperform dynamic PHP on every metric).
