CVE-2026-50133: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gohugoio hugo
Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
AI Analysis
Technical Summary
CVE-2026-50133 describes a stored cross-site scripting vulnerability in Hugo versions before 0.162.0. The vulnerability arises because Hugo emitted the body of content files mapped to the text/html media type without sanitization, allowing malicious HTML content to be served directly in rendered pages. This improper neutralization of input during web page generation is classified under CWE-79. The vulnerability is resolved in Hugo 0.162.0.
Potential Impact
An attacker able to supply or influence HTML content files could inject malicious scripts that would be served to users, leading to stored cross-site scripting attacks. This could result in client-side code execution in the context of the affected site. The CVSS 4.0 score is 5.1 (medium severity), indicating a moderate risk without requiring privileges or user interaction beyond viewing the affected content.
Mitigation Recommendations
Upgrade to Hugo version 0.162.0 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Users should avoid ingesting untrusted HTML content until upgraded.
CVE-2026-50133: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in gohugoio hugo
Description
Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
CVSS v4.0
Score 5.1medium
Affected software
pkg:golang/github.com/gohugoio/hugoRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-50133 describes a stored cross-site scripting vulnerability in Hugo versions before 0.162.0. The vulnerability arises because Hugo emitted the body of content files mapped to the text/html media type without sanitization, allowing malicious HTML content to be served directly in rendered pages. This improper neutralization of input during web page generation is classified under CWE-79. The vulnerability is resolved in Hugo 0.162.0.
Potential Impact
An attacker able to supply or influence HTML content files could inject malicious scripts that would be served to users, leading to stored cross-site scripting attacks. This could result in client-side code execution in the context of the affected site. The CVSS 4.0 score is 5.1 (medium severity), indicating a moderate risk without requiring privileges or user interaction beyond viewing the affected content.
Mitigation Recommendations
Upgrade to Hugo version 0.162.0 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Users should avoid ingesting untrusted HTML content until upgraded.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-03T18:49:32.275Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4c076827e9c7971920cba8
Added to database: 07/06/2026, 19:52:08 UTC
Last enriched: 07/06/2026, 20:07:11 UTC
Last updated: 07/06/2026, 21:11:47 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.