GHSA-C54G-XJWJ-8G82
Vulnerability from github – Published: 2026-06-16 19:22 – Updated: 2026-06-16 19:22Commit: e41a06447d — Disallow HTML content by default
Affected versions: all Hugo versions prior to v0.162.0.
Fixed in: v0.162.0.
Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load.
Description. Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.
Mitigation. v0.162.0 introduces a security.allowContent whitelist with text/html denied by default. Sites that intentionally author HTML content can opt back in:
[security]
allowContent = ['.*']
This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gohugoio/hugo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.162.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50133"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T19:22:14Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "**Commit:** [e41a06447d](https://github.com/gohugoio/hugo/commit/e41a06447d) \u2014 _Disallow HTML content by default_\n**Affected versions:** all Hugo versions prior to v0.162.0.\n**Fixed in:** v0.162.0.\n**Severity:** Low to Medium, depending on threat model. Not an issue if you fully trust every file under `/content` and every content adapter you load.\n\n**Description.** Hugo accepts content files in several markup formats. Files mapped to the `text/html` media type (typically `.html` files under `/content`, or pages produced by a content adapter that sets `content.mediaType = \"text/html\"`) had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source \u2014 for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline \u2014 could therefore be served stored cross-site scripting.\n\n**Mitigation.** v0.162.0 introduces a `security.allowContent` whitelist with `text/html` denied by default. Sites that intentionally author HTML content can opt back in:\n\n```toml\n[security]\nallowContent = [\u0027.*\u0027]\n```\n\nThis only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.",
"id": "GHSA-c54g-xjwj-8g82",
"modified": "2026-06-16T19:22:14Z",
"published": "2026-06-16T19:22:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82"
},
{
"type": "WEB",
"url": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1"
},
{
"type": "PACKAGE",
"url": "https://github.com/gohugoio/hugo"
},
{
"type": "WEB",
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hugo: XSS via text/html content files"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.