Stored Cross-Site Scripting Vulnerability in Hugo Static Site Generator
CVE-2026-50133

5.1MEDIUM

Key Information:

Vendor

Gohugoio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-50133?

Hugo, a popular static site generator, allows content files in various markup formats. In versions before 0.162.0, the application emitted the body of HTML files verbatim into rendered pages. This behavior poses a significant risk, as it enables attackers to exploit the system by injecting malicious scripts into the HTML content from untrusted sources. Users can experience stored cross-site scripting attacks, jeopardizing security. The vulnerability has been addressed in version 0.162.0, and users are strongly advised to upgrade to this version to mitigate the risks associated with untrusted HTML content ingestion.

Affected Version(s)

hugo < 0.162.0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.