CVE-2026-50134

Source
https://cve.org/CVERecord?id=CVE-2026-50134
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50134.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50134
Aliases
Downstream
Published
2026-07-06T19:42:49.280Z
Modified
2026-07-09T04:00:33.632720881Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Hugo: security.http.urls allow-list bypass via HTTP redirects
Details

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50134.json",
    "cwe_ids": [
        "CWE-918"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/gohugoio/hugo

Affected ranges

Type
GIT
Repo
https://github.com/gohugoio/hugo
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.91.0"
        },
        {
            "fixed": "0.162.0"
        }
    ]
}

Affected versions

v0.*
v0.100.0
v0.100.1
v0.100.2
v0.101.0
v0.102.0
v0.102.3
v0.103.1
v0.104.0
v0.104.1
v0.104.2
v0.104.3
v0.105.0
v0.106.0
v0.107.0
v0.108.0
v0.109.0
v0.110.0
v0.111.1
v0.111.2
v0.111.3
v0.112.0
v0.112.1
v0.112.2
v0.112.3
v0.112.4
v0.112.6
v0.112.7
v0.113.0
v0.114.0
v0.115.0
v0.115.1
v0.115.2
v0.115.3
v0.115.4
v0.116.0
v0.116.1
v0.118.0
v0.118.1
v0.118.2
v0.119.0
v0.120.0
v0.120.1
v0.120.2
v0.120.3
v0.120.4
v0.121.0
v0.121.1
v0.121.2
v0.122.0
v0.123.1
v0.123.2
v0.123.3
v0.123.4
v0.123.5
v0.123.6
v0.123.7
v0.123.8
v0.124.0
v0.124.1
v0.125.0
v0.125.1
v0.125.2
v0.125.4
v0.125.5
v0.125.6
v0.125.7
v0.126.0
v0.126.1
v0.126.3
v0.127.0
v0.128.0
v0.128.1
v0.128.2
v0.129.0
v0.130.0
v0.131.0
v0.132.0
v0.132.1
v0.132.2
v0.133.0
v0.133.1
v0.134.0
v0.134.1
v0.134.2
v0.134.3
v0.135.0
v0.136.0
v0.136.1
v0.136.2
v0.136.3
v0.136.5
v0.137.0
v0.137.1
v0.138.0
v0.139.0
v0.139.1
v0.139.2
v0.139.3
v0.139.4
v0.140.0
v0.140.1
v0.140.2
v0.141.0
v0.142.0
v0.143.0
v0.143.1
v0.144.0
v0.144.1
v0.145.0
v0.146.0
v0.146.1
v0.146.2
v0.146.3
v0.146.4
v0.146.5
v0.146.6
v0.146.7
v0.147.0
v0.147.1
v0.147.2
v0.147.3
v0.147.5
v0.147.6
v0.147.7
v0.147.8
v0.147.9
v0.148.0
v0.148.1
v0.148.2
v0.149.0
v0.149.1
v0.150.0
v0.150.1
v0.151.0
v0.151.1
v0.152.0
v0.152.1
v0.152.2
v0.153.0
v0.153.1
v0.153.2
v0.153.3
v0.153.4
v0.153.5
v0.154.0
v0.154.1
v0.154.2
v0.154.3
v0.154.4
v0.154.5
v0.155.0
v0.155.1
v0.155.2
v0.155.3
v0.156.0
v0.157.0
v0.158.0
v0.159.0
v0.159.1
v0.159.2
v0.160.0
v0.160.1
v0.161.0
v0.161.1
v0.91.0
v0.91.1
v0.91.2
v0.92.0
v0.92.1
v0.92.2
v0.93.0
v0.93.1
v0.93.2
v0.93.3
v0.94.0
v0.94.1
v0.94.2
v0.95.0
v0.97.0
v0.97.1
v0.97.2
v0.97.3
v0.98.0
v0.99.0
v0.99.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50134.json"