CVE-2026-50133

Source
https://cve.org/CVERecord?id=CVE-2026-50133
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50133.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50133
Aliases
Downstream
Published
2026-07-06T19:31:18.386Z
Modified
2026-07-08T08:13:41.175437551Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Hugo: XSS via text/html content files
Details

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50133.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gohugoio/hugo

Affected ranges

Type
GIT
Repo
https://github.com/gohugoio/hugo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.162.0"
        }
    ]
}

Affected versions

v0.*
v0.10
v0.100.0
v0.100.1
v0.100.2
v0.101.0
v0.102.0
v0.102.3
v0.103.1
v0.104.0
v0.104.1
v0.104.2
v0.104.3
v0.105.0
v0.106.0
v0.107.0
v0.108.0
v0.109.0
v0.11
v0.110.0
v0.111.1
v0.111.2
v0.111.3
v0.112.0
v0.112.1
v0.112.2
v0.112.3
v0.112.4
v0.112.6
v0.112.7
v0.113.0
v0.114.0
v0.115.0
v0.115.1
v0.115.2
v0.115.3
v0.115.4
v0.116.0
v0.116.1
v0.118.0
v0.118.1
v0.118.2
v0.119.0
v0.12
v0.120.0
v0.120.1
v0.120.2
v0.120.3
v0.120.4
v0.121.0
v0.121.1
v0.121.2
v0.122.0
v0.123.1
v0.123.2
v0.123.3
v0.123.4
v0.123.5
v0.123.6
v0.123.7
v0.123.8
v0.124.0
v0.124.1
v0.125.0
v0.125.1
v0.125.2
v0.125.4
v0.125.5
v0.125.6
v0.125.7
v0.126.0
v0.126.1
v0.126.3
v0.127.0
v0.128.0
v0.128.1
v0.128.2
v0.129.0
v0.13
v0.130.0
v0.131.0
v0.132.0
v0.132.1
v0.132.2
v0.133.0
v0.133.1
v0.134.0
v0.134.1
v0.134.2
v0.134.3
v0.135.0
v0.136.0
v0.136.1
v0.136.2
v0.136.3
v0.136.5
v0.137.0
v0.137.1
v0.138.0
v0.139.0
v0.139.1
v0.139.2
v0.139.3
v0.139.4
v0.14
v0.140.0
v0.140.1
v0.140.2
v0.141.0
v0.142.0
v0.143.0
v0.143.1
v0.144.0
v0.144.1
v0.145.0
v0.146.0
v0.146.1
v0.146.2
v0.146.3
v0.146.4
v0.146.5
v0.146.6
v0.146.7
v0.147.0
v0.147.1
v0.147.2
v0.147.3
v0.147.5
v0.147.6
v0.147.7
v0.147.8
v0.147.9
v0.148.0
v0.148.1
v0.148.2
v0.149.0
v0.149.1
v0.15
v0.150.0
v0.150.1
v0.151.0
v0.151.1
v0.152.0
v0.152.1
v0.152.2
v0.153.0
v0.153.1
v0.153.2
v0.153.3
v0.153.4
v0.153.5
v0.154.0
v0.154.1
v0.154.2
v0.154.3
v0.154.4
v0.154.5
v0.155.0
v0.155.1
v0.155.2
v0.155.3
v0.156.0
v0.157.0
v0.158.0
v0.159.0
v0.159.1
v0.159.2
v0.16
v0.160.0
v0.160.1
v0.161.0
v0.161.1
v0.17
v0.18
v0.19
v0.20
v0.20.1
v0.20.4
v0.21
v0.22
v0.22.1
v0.23
v0.24
v0.25
v0.25.1
v0.26
v0.27
v0.27.1
v0.28
v0.29
v0.30
v0.30.1
v0.30.2
v0.31
v0.31.1
v0.32
v0.32.1
v0.32.2
v0.32.3
v0.32.4
v0.33
v0.34
v0.35
v0.36
v0.37
v0.37.1
v0.38
v0.38.1
v0.38.2
v0.39
v0.40
v0.40.1
v0.40.2
v0.42.1
v0.43
v0.44
v0.45
v0.45.1
v0.46
v0.47
v0.47.1
v0.48
v0.49
v0.50
v0.51
v0.52
v0.53
v0.54.0
v0.55.0
v0.55.1
v0.55.2
v0.55.3
v0.55.4
v0.55.5
v0.56.0
v0.56.2
v0.56.3
v0.57.0
v0.57.1
v0.57.2
v0.58.0
v0.58.1
v0.58.2
v0.58.3
v0.59.0
v0.59.1
v0.60.0
v0.60.1
v0.61.0
v0.62.0
v0.62.1
v0.62.2
v0.63.0
v0.63.1
v0.63.2
v0.64.0
v0.64.1
v0.65.0
v0.65.1
v0.65.2
v0.65.3
v0.66.0
v0.67.0
v0.67.1
v0.68.0
v0.68.1
v0.68.2
v0.68.3
v0.69.0
v0.69.1
v0.69.2
v0.7
v0.70.0
v0.71.0
v0.71.1
v0.72.0
v0.74.0
v0.74.1
v0.74.2
v0.74.3
v0.75.0
v0.75.1
v0.76.0
v0.76.1
v0.76.2
v0.76.4
v0.77.0
v0.78.0
v0.78.1
v0.78.2
v0.79.0
v0.80.0
v0.81.0
v0.82.0
v0.83.0
v0.83.1
v0.84.0
v0.84.1
v0.84.2
v0.84.3
v0.84.4
v0.85.0
v0.86.0
v0.87.0
v0.88.0
v0.88.1
v0.89.0
v0.89.1
v0.89.2
v0.89.3
v0.89.4
v0.9
v0.90.0
v0.90.1
v0.91.0
v0.91.1
v0.91.2
v0.92.0
v0.92.1
v0.92.2
v0.93.0
v0.93.1
v0.93.2
v0.93.3
v0.94.0
v0.94.1
v0.94.2
v0.95.0
v0.97.0
v0.97.1
v0.97.2
v0.97.3
v0.98.0
v0.99.0
v0.99.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50133.json"