HTTP Redirection Vulnerability in Hugo Static Site Generator
CVE-2026-50134

6.3MEDIUM

Key Information:

Vendor

Gohugoio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-50134?

The Hugo static site generator has a vulnerability that allows unauthorized HTTP redirection. Specifically, the resources.GetRemote function failed to re-validate intermediate URLs during HTTP 3xx redirects. This could lead to an allowed server or a malicious actor, through DNS manipulation, redirecting requests to unapproved locations. Consequently, Hugo could fetch content from these altered destinations, bypassing any restrictions set by the user. This flaw was addressed in version 0.162.0.

Affected Version(s)

hugo >= 0.91.0, < 0.162.0

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.