๐Ÿ” CVE Alert

CVE-2026-50134

UNKNOWN 0.0

Hugo: security.http.urls allow-list bypass via HTTP redirects

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
26th

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.

CWE CWE-918
Vendor gohugoio
Product hugo
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for gohugoio hugo

Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

gohugoio / hugo
>= 0.91.0, < 0.162.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g github.com: https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50 github.com: https://github.com/gohugoio/hugo/releases/tag/v0.162.0