CVE-2026-50133
Received Received - Intake

Stored XSS in Hugo Static Site Generator

Vulnerability report for CVE-2026-50133, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gohugoio hugo to 0.162.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50133 is a stored cross-site scripting (XSS) vulnerability in Hugo, a static site generator. Prior to version 0.162.0, Hugo would emit the body of files mapped to the text/html media type (such as .html files under the /content directory) verbatim into the rendered page. If a site ingests HTML content from an untrusted source, this behavior could allow malicious scripts to be stored and executed in users' browsers.

The vulnerability arises because untrusted HTML content is not sanitized or blocked by default, leading to a potential XSS attack vector.

The issue was fixed in Hugo version 0.162.0 by introducing a security policy that denies text/html content by default unless explicitly allowed via configuration.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious HTML or JavaScript into your Hugo-generated site if you accept HTML content from untrusted sources. Such injected scripts could execute in the browsers of your site visitors, potentially leading to theft of cookies, session tokens, or other sensitive information.

The stored XSS could compromise the security and integrity of your website, damage your users' trust, and lead to further attacks such as phishing or malware distribution.

To mitigate this risk, you must upgrade to Hugo 0.162.0 or later, which blocks HTML content by default unless explicitly allowed in the configuration.

Detection Guidance

This vulnerability involves Hugo emitting raw HTML content verbatim into rendered pages when the content is mapped to the text/html media type, which can lead to stored cross-site scripting (XSS). To detect if your system is affected, you should check if your Hugo site is running a version prior to 0.162.0 and if it serves HTML content from untrusted sources under the /content directory or via content adapters.

Since the vulnerability is related to how Hugo processes content files, detection involves inspecting your Hugo version and configuration rather than network traffic. You can verify your Hugo version by running the command:

  • hugo version

Additionally, you can search your Hugo configuration file (e.g., hugo.toml) for the presence or absence of the security.allowContent setting that controls whether HTML content is allowed. For example, to check if HTML content is allowed, you can run:

  • grep -i allowContent hugo.toml

To detect if your site serves raw HTML content that could be exploited, you might also inspect the rendered pages for unescaped HTML content or test for XSS by reviewing pages that ingest HTML from untrusted sources.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Hugo installation to version 0.162.0 or later, where the issue is fixed by default.

If upgrading immediately is not possible, you can configure Hugo to disallow HTML content by default by setting the security.allowContent whitelist in your Hugo configuration file (e.g., hugo.toml) to deny text/html content unless explicitly allowed.

  • Upgrade Hugo to version 0.162.0 or later.
  • Set or verify the security.allowContent setting to disallow text/html content by default.
  • Review and sanitize any HTML content ingested from untrusted sources before including it in your site.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50133. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart