Description
Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
Published: 2026-07-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Hugo previously rendered content files with the media type text/html exactly as submitted. If an attacker supplies malicious HTML content, those payloads are literally embedded into the generated pages, enabling stored cross‑site scripting that can steal user data, hijack sessions, or modify site content. The underlying weakness is a classic input validation flaw (CWE‑79).

Affected Systems

The vulnerability affects the Hugo static site generator from the gohugoio organization. All releases prior to version 0.162.0 are susceptible, while version 0.162.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is <1%, indicating a very low but nonzero exploitation probability, and the issue is not in the CISA KEV catalog. An attacker would need to supply or modify a text/html content file—either by uploading or by adjusting the content adapter—to have the payload included in the rendered site. Once the site is built, the XSS can be executed in any user’s browser that visits the affected page.

Generated by OpenCVE AI on July 7, 2026 at 17:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hugo to version 0.162.0 or later.
  • If an upgrade is infeasible, avoid ingesting untrusted HTML content; convert or sanitize such files before they are rendered.
  • Implement strict input validation to reject or escape data that would be interpreted as HTML.

Generated by OpenCVE AI on July 7, 2026 at 17:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c54g-xjwj-8g82 Hugo: XSS via text/html content files
History

Tue, 07 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Gohugo
Gohugo hugo
Vendors & Products Gohugo
Gohugo hugo

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
Title Hugo: XSS via text/html content files
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T14:44:31.886Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50133

cve-icon Vulnrichment

Updated: 2026-07-07T14:44:26.180Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T17:30:17Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')