GHSA-c54g-xjwj-8g82Medium

Hugo: XSS via text/html content files

Published
June 16, 2026
Last Modified
June 16, 2026

🔗 CVE IDs covered (1)

📋 Description

Commit: e41a06447dDisallow HTML content by default Affected versions: all Hugo versions prior to v0.162.0. Fixed in: v0.162.0. Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load.

Description. Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.

Mitigation. v0.162.0 introduces a security.allowContent whitelist with text/html denied by default. Sites that intentionally author HTML content can opt back in:

[security]
allowContent = ['.*']

This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.

🎯 Affected products1

  • go/github.com/gohugoio/hugo:< 0.162.0

🔗 References (4)