Skip to main content

Hugo EUVDEUVD-2026-41909

| CVE-2026-50133 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 https://github.com/gohugoio/hugo GHSA-c54g-xjwj-8g82
5.1
CVSS 4.0 · Vendor: https://github.com/gohugoio/hugo
Share

Severity by source

Vendor (https://github.com/gohugoio/hugo) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.4 MEDIUM

AC:H because exploitation requires non-default untrusted HTML content ingestion; PR:L for required content contributor access; S:C for browser scope change; A:N as availability is unaffected.

3.1 AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
SUSE
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (https://github.com/gohugoio/hugo).

CVSS VectorVendor: https://github.com/gohugoio/hugo

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 06, 2026 - 20:22 NVD
5.1 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 20:00 vuln.today
Analysis Generated
Jun 16, 2026 - 20:00 vuln.today

DescriptionCVE.org

Commit: e41a06447d - _Disallow HTML content by default_ Affected versions: all Hugo versions prior to v0.162.0. Fixed in: v0.162.0. Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load.

Description. Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source - for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline - could therefore be served stored cross-site scripting.

Mitigation. v0.162.0 introduces a security.allowContent whitelist with text/html denied by default. Sites that intentionally author HTML content can opt back in:

toml
[security]
allowContent = ['.*']

This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.

AnalysisAI

Stored cross-site scripting in Hugo's content pipeline affects all versions prior to v0.162.0 when the site ingests HTML content from untrusted sources. Hugo emitted the body of any content file mapped to the text/html media type verbatim into the rendered output, making sites backed by CMS editors, external content adapters, or automated import pipelines potential XSS delivery vehicles to end users. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the risk is material for any Hugo deployment that does not fully trust every source populating the /content directory or content adapter pipeline.

Technical ContextAI

Hugo (pkg:go/github.com/gohugoio/hugo) is a Go-based static site generator that supports multiple markup formats including Markdown, AsciiDoc, Org, Pandoc, reStructuredText, and raw HTML. Content files are dispatched to format-specific converters based on their resolved MIME type. Prior to v0.162.0, content files resolving to the text/html media type - either .html files placed under /content or pages emitted by a content adapter that explicitly sets content.mediaType = text/html - bypassed any sanitization and had their body written verbatim into the rendered page. This constitutes a CWE-79 (Improper Neutralization of Input During Web Page Generation / Stored XSS) sink: malicious script tags or event handlers present in the raw HTML source are passed through unchanged into the final site output served to visitors. The fix in commit e41a06447d introduces a security.allowContent whitelist in config/security/securityConfig.go that defaults to denying text/html, enforced at page initialization in hugolib/page__meta.go via CheckAllowedContent() before content is processed.

RemediationAI

Upgrade Hugo to v0.162.0 or later, which is the vendor-confirmed fixed release (https://github.com/gohugoio/hugo/releases/tag/v0.162.0, patch commit e41a06447daa3071a01f333fdcec0a5153c3c8d1). After upgrading, text/html content is blocked by default with no further configuration required. Sites that intentionally serve raw HTML authored by fully trusted parties can opt back in by adding allowContent = ['.*'] under the [security] section in hugo.toml, but this re-enables the original behavior and should only be used when the entire content pipeline is trusted. If an immediate upgrade is not possible, the most effective compensating control is to audit and remove all .html files from the /content directory and disable any content adapters that set content.mediaType = text/html, thereby eliminating the vulnerable content paths. Alternatively, restricting write access to the content pipeline to fully trusted principals (removing CMS editor roles for untrusted contributors, auditing external API integrations) reduces the practical exploitability without modifying Hugo itself, though this carries operational trade-offs if those roles are needed for site workflows.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

EUVD-2026-41909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy