CVE-2026-50134

NameCVE-2026-50134
DescriptionHugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
hugo (PTS)bullseye0.80.0-6vulnerable
bullseye (security)0.80.0-6+deb11u1vulnerable
bookworm0.111.3-1vulnerable
trixie0.131.0-1vulnerable
forky0.161.1-1vulnerable
sid0.162.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
hugosource(unstable)0.162.1-1

Notes

https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g
Fixed by: https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50 (v0.162.0)

Search for package or bug name: Reporting problems