Skip to content

chore(deps): update module github.com/gohugoio/hugo to v0.163.3 [security]#89

Open
jamesread wants to merge 1 commit into
mainfrom
renovate/go-github.com-gohugoio-hugo-vulnerability
Open

chore(deps): update module github.com/gohugoio/hugo to v0.163.3 [security]#89
jamesread wants to merge 1 commit into
mainfrom
renovate/go-github.com-gohugoio-hugo-vulnerability

Conversation

@jamesread

@jamesread jamesread commented Jun 17, 2026

Copy link
Copy Markdown
Owner

This PR contains the following updates:

Package Type Update Change
github.com/gohugoio/hugo indirect minor v0.161.0 -> v0.163.3

GitHub Vulnerability Alerts

CVE-2026-50133

Commit: e41a06447dDisallow HTML content by default
Affected versions: all Hugo versions prior to v0.162.0.
Fixed in: v0.162.0.
Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load.

Description. Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.

Mitigation. v0.162.0 introduces a security.allowContent whitelist with text/html denied by default. Sites that intentionally author HTML content can opt back in:

[security]
allowContent = ['.*']

This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.

CVE-2026-50134

Commit: 86fbb0f7a8security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when security.http.urls was introduced) through v0.161.1.
Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to resources.GetRemote.

Description. resources.GetRemote enforces security.http.urls on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, http://localhost/ or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.

Mitigation. v0.162.0 installs a CheckRedirect on the HTTP client used by resources.GetRemote that re-runs security.http.urls on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.

CVE-2026-50135

Commit: f8b5fa09a6Fix prevention of direct symlink reads in resources.Get
Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected.
Fixed in: v0.162.0.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.

GHSA-c3wq-j5vh-68rc

Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected.
Fixed in: v0.163.1.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

GHSA-q76j-gcg9-vxc6

Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the <code class="language-…" data-lang="…"> wrapper without HTML escaping. A fence info-string containing a quote and a <script> payload breaks out of the attribute and injects a live script element.

This is not an issue if you fully trust every file under /content and every content adapter you load.


Hugo: XSS via text/html content files

CVE-2026-50133 / GHSA-c54g-xjwj-8g82 / GO-2026-5313

More information

Details

Commit: e41a06447dDisallow HTML content by default
Affected versions: all Hugo versions prior to v0.162.0.
Fixed in: v0.162.0.
Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load.

Description. Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.

Mitigation. v0.162.0 introduces a security.allowContent whitelist with text/html denied by default. Sites that intentionally author HTML content can opt back in:

[security]
allowContent = ['.*']

This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hugo: security.http.urls allow-list bypass via HTTP redirects in github.com/gohugoio/hugo

CVE-2026-50134 / GHSA-vxgm-5rmg-5w8g / GO-2026-5681

More information

Details

Hugo: security.http.urls allow-list bypass via HTTP redirects in github.com/gohugoio/hugo

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hugo: XSS via text/html content files in github.com/gohugoio/hugo

CVE-2026-50133 / GHSA-c54g-xjwj-8g82 / GO-2026-5313

More information

Details

Hugo: XSS via text/html content files in github.com/gohugoio/hugo

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hugo: security.http.urls allow-list bypass via HTTP redirects

CVE-2026-50134 / GHSA-vxgm-5rmg-5w8g / GO-2026-5681

More information

Details

Commit: 86fbb0f7a8security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when security.http.urls was introduced) through v0.161.1.
Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to resources.GetRemote.

Description. resources.GetRemote enforces security.http.urls on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, http://localhost/ or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.

Mitigation. v0.162.0 installs a CheckRedirect on the HTTP client used by resources.GetRemote that re-runs security.http.urls on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo

CVE-2026-50135 / GHSA-fw87-fv5r-9fpw / GO-2026-5380

More information

Details

Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).


Hugo: Symlink confinement bypass in resources.Get

CVE-2026-50135 / GHSA-fw87-fv5r-9fpw / GO-2026-5380

More information

Details

Commit: f8b5fa09a6Fix prevention of direct symlink reads in resources.Get
Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected.
Fixed in: v0.162.0.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hugo: Symlink confinement bypass in os.ReadFile

CVE-2026-58403 / GHSA-c3wq-j5vh-68rc

More information

Details

Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected.
Fixed in: v0.163.1.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Hugo: XSS via unescaped code-fence language in default code block renderer

CVE-2026-58402 / GHSA-q76j-gcg9-vxc6

More information

Details

Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the <code class="language-…" data-lang="…"> wrapper without HTML escaping. A fence info-string containing a quote and a <script> payload breaks out of the attribute and injects a live script element.

This is not an issue if you fully trust every file under /content and every content adapter you load.

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

gohugoio/hugo (github.com/gohugoio/hugo)

v0.163.3

Compare Source

What's Changed

v0.163.2

Compare Source

What's Changed

v0.163.1

Compare Source

The majority of the fixes in this release are security related (including the upstream fix in 93c8c7d (golang.org/x/image)). Thanks to @​vnth4nhnt for finding the issues fixed in a00b5c7 and cf9c8f9 (I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.

What's Changed

v0.163.0

Compare Source

The main topic in this release is improvements to the AVIF image handling that we introduced in v0.162.0. See the docs for details, but:

  • We have turned down the default quality for AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).
  • We have added a hint to the AVIF with the same values as for WEBP. For lossy compression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.

Improvements

Dependency Updates

v0.162.1

Compare Source

What's Changed

v0.162.0

Compare Source

The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).

Security fixes

There are some notable security fixes in this release.

Security fixes in Go

This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:

  • XSS in html/template (CVE-2026-39826 & CVE-2026-39823): Two separate vulnerabilities where escaper bypasses in html/template could lead to Cross-Site Scripting (XSS).
  • html/template: Fixes an issue where JS template literal contexts were incorrectly tracked across template branches, which could lead to improper content escaping.
Security fixes and hardening in Hugo

The following changes either fix a concrete issue or reduce the default attack surface of hugo builds.

  • Disallow text/html content files by default (e41a064). A new security.allowContent policy gates which content media types may be used for pages under /content. text/html is denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in with security.allowContent = ['.*'].
  • Re-check security.http.urls on every redirect hop in resources.GetRemote (86fbb0f).
  • Reject symlinked entries in resources.Get (f8b5fa0).

We will update this section later with links to CVEs where applicable.

All changes

v0.161.1

Compare Source

What's Changed


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@jamesread

jamesread commented Jun 17, 2026

Copy link
Copy Markdown
Owner Author

ℹ Artifact update notice

File name: service/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 4 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.25.10 -> 1.26.0
github.com/bits-and-blooms/bitset v1.24.4 -> v1.24.5
github.com/pelletier/go-toml/v2 v2.3.0 -> v2.3.1
golang.org/x/sync v0.20.0 -> v0.21.0
golang.org/x/text v0.37.0 -> v0.38.0

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

service/go.mod updates the Go toolchain from 1.25.10 to 1.26.0 and bumps five indirect dependencies: github.com/bits-and-blooms/bitset, github.com/gohugoio/hugo, github.com/pelletier/go-toml/v2, golang.org/x/sync, and golang.org/x/text.

Changes

Go Module Updates

Layer / File(s) Summary
Update Go toolchain and indirect dependencies
service/go.mod
Go toolchain upgraded from 1.25.10 to 1.26.0. Indirect dependencies updated: bitset to v1.24.5, hugo to v0.163.3, go-toml/v2 to v2.3.1, golang.org/x/sync to v0.21.0, and golang.org/x/text to v0.38.0.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • jamesread/Japella#71: Also bumps github.com/gohugoio/hugo and golang.org/x/* modules in service/go.mod.
  • jamesread/Japella#42: Updates service/go.mod with overlapping golang.org/x/sync and golang.org/x/text dependency bumps.

Poem

A bunny hops through go.mod light,
Version nibbles, tidy and bright.
Toolchain up, deps in tune,
Freshened bytes beneath the moon.
🐇✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the primary dependency upgrade to Hugo and correctly labels it as a security-related update.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/go-github.com-gohugoio-hugo-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/go.mod`:
- Line 98: The PR description contains inaccurate claims about which CVEs are
fixed by Hugo v0.162.0. The cited CVEs (CVE-2026-50134, CVE-2026-50133,
CVE-2026-50135) are not documented as addressed in the official Hugo v0.162.0
release notes. Update the PR description to remove these unverified CVE
references and instead accurately document the actual security improvements
delivered in v0.162.0: the Go 1.26.3 upgrade (which includes CVE-2026-39826 and
CVE-2026-39823) and Hugo-specific hardening measures (disallowing text/html by
default, enforcing HTTP URL checks on redirects, and rejecting symlinked
entries). Either provide documented evidence linking the originally cited CVEs
to this release or remove them entirely from the PR objectives.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 040f3c92-d5f4-42e2-bdbe-e1adcd5ea9c1

📥 Commits

Reviewing files that changed from the base of the PR and between 43545eb and 1608a91.

⛔ Files ignored due to path filters (1)
  • service/go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • service/go.mod

Comment thread service/go.mod Outdated
github.com/gofrs/flock v0.13.0 // indirect
github.com/gohugoio/hashstructure v0.6.0 // indirect
github.com/gohugoio/hugo v0.161.0 // indirect
github.com/gohugoio/hugo v0.162.0 // indirect

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Hugo v0.162.0 release notes security fixes CVE-2026-50134 CVE-2026-50133 CVE-2026-50135

💡 Result:

The Hugo v0.162.0 release, published on May 26, 2026, does not list CVE-2026-50134, CVE-2026-50133, or CVE-2026-50135 as addressed vulnerabilities [1][2]. The security fixes included in v0.162.0 focus on the following: 1. Go Language Vulnerabilities: Hugo v0.162.0 upgraded from Go 1.26.1 to 1.26.3, which includes patches for CVE-2026-39826 and CVE-2026-39823 (XSS vulnerabilities in html/template) as well as a fix for improper JS template literal context tracking [1][3]. 2. Hugo Security Hardening: The release introduced several security-focused changes to reduce the attack surface, including: - Disallowing text/html content files by default, requiring an opt-in policy via security.allowContent for sites that require it [1][4]. - Enforcing security.http.urls checks on every redirect hop in resources.GetRemote [1][4]. - Rejecting symlinked entries in resources.Get [1][4]. There is no evidence in official Hugo release notes or advisory databases linking Hugo v0.162.0 to CVE-2026-50134, CVE-2026-50133, or CVE-2026-50135 [1][5][6]. Public records indicate that CVE-2026-50133 and CVE-2026-50134 have been associated with other software contexts (such as Linux kernel updates) and are not specific to the Hugo static site generator [7][8].

Citations:


Correct Hugo v0.162.0 CVE claims—the cited CVEs are not documented as fixed in this release.

The PR objectives claim Hugo v0.162.0 fixes CVE-2026-50134, CVE-2026-50133, and CVE-2026-50135, but official Hugo v0.162.0 release notes do not list these CVEs as addressed. Actual security fixes in v0.162.0 are: Go 1.26.3 upgrade (including CVE-2026-39826, CVE-2026-39823) and Hugo-specific hardening (disallowing text/html by default, enforcing HTTP URL checks on redirects, rejecting symlinked entries). The cited CVE identifiers appear unrelated to Hugo. Update the PR description to accurately reflect the real security improvements or provide documented evidence linking those CVEs to this release.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@service/go.mod` at line 98, The PR description contains inaccurate claims
about which CVEs are fixed by Hugo v0.162.0. The cited CVEs (CVE-2026-50134,
CVE-2026-50133, CVE-2026-50135) are not documented as addressed in the official
Hugo v0.162.0 release notes. Update the PR description to remove these
unverified CVE references and instead accurately document the actual security
improvements delivered in v0.162.0: the Go 1.26.3 upgrade (which includes
CVE-2026-39826 and CVE-2026-39823) and Hugo-specific hardening measures
(disallowing text/html by default, enforcing HTTP URL checks on redirects, and
rejecting symlinked entries). Either provide documented evidence linking the
originally cited CVEs to this release or remove them entirely from the PR
objectives.

@jamesread jamesread force-pushed the renovate/go-github.com-gohugoio-hugo-vulnerability branch from 1608a91 to 935791f Compare June 20, 2026 01:01
@jamesread jamesread changed the title chore(deps): update module github.com/gohugoio/hugo to v0.162.0 [security] chore(deps): update module github.com/gohugoio/hugo to v0.163.3 [security] Jun 20, 2026
@jamesread jamesread force-pushed the renovate/go-github.com-gohugoio-hugo-vulnerability branch from 935791f to bc67c50 Compare July 1, 2026 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants