Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-c54g-xjwj-8g82 | Hugo: XSS via text/html content files |
Tue, 07 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Gohugo
Gohugo hugo |
|
| Vendors & Products |
Gohugo
Gohugo hugo |
Mon, 06 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0. | |
| Title | Hugo: XSS via text/html content files | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-07T14:44:31.886Z
Reserved: 2026-06-03T18:49:32.275Z
Link: CVE-2026-50133
Updated: 2026-07-07T14:44:26.180Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T17:30:17Z
Github GHSA