Stored Cross-Site Scripting Vulnerability in Hugo Static Site Generator
CVE-2026-50133
5.1MEDIUM
What is CVE-2026-50133?
Hugo, a popular static site generator, allows content files in various markup formats. In versions before 0.162.0, the application emitted the body of HTML files verbatim into rendered pages. This behavior poses a significant risk, as it enables attackers to exploit the system by injecting malicious scripts into the HTML content from untrusted sources. Users can experience stored cross-site scripting attacks, jeopardizing security. The vulnerability has been addressed in version 0.162.0, and users are strongly advised to upgrade to this version to mitigate the risks associated with untrusted HTML content ingestion.
Affected Version(s)
hugo < 0.162.0
