Impact
Hugo previously rendered content files with the media type text/html exactly as submitted. If an attacker supplies malicious HTML content, those payloads are literally embedded into the generated pages, enabling stored cross‑site scripting that can steal user data, hijack sessions, or modify site content. The underlying weakness is a classic input validation flaw (CWE‑79).
Affected Systems
The vulnerability affects the Hugo static site generator from the gohugoio organization. All releases prior to version 0.162.0 are susceptible, while version 0.162.0 and later contain the fix.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. The EPSS score is <1%, indicating a very low but nonzero exploitation probability, and the issue is not in the CISA KEV catalog. An attacker would need to supply or modify a text/html content file—either by uploading or by adjusting the content adapter—to have the payload included in the rendered site. Once the site is built, the XSS can be executed in any user’s browser that visits the affected page.
OpenCVE Enrichment
Github GHSA