๐Ÿ” CVE Alert

CVE-2026-50133

UNKNOWN 0.0

Hugo: XSS via text/html content files

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
22th

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.

CWE CWE-79
Vendor gohugoio
Product hugo
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for gohugoio hugo

Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

gohugoio / hugo
< 0.162.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82 github.com: https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1 github.com: https://github.com/gohugoio/hugo/releases/tag/v0.162.0