HTTP Redirection Vulnerability in Hugo Static Site Generator
CVE-2026-50134
6.3MEDIUM
What is CVE-2026-50134?
The Hugo static site generator has a vulnerability that allows unauthorized HTTP redirection. Specifically, the resources.GetRemote function failed to re-validate intermediate URLs during HTTP 3xx redirects. This could lead to an allowed server or a malicious actor, through DNS manipulation, redirecting requests to unapproved locations. Consequently, Hugo could fetch content from these altered destinations, bypassing any restrictions set by the user. This flaw was addressed in version 0.162.0.
Affected Version(s)
hugo >= 0.91.0, < 0.162.0
