chore(deps): update module github.com/gohugoio/hugo to v0.163.3 [security]#89
chore(deps): update module github.com/gohugoio/hugo to v0.163.3 [security]#89jamesread wants to merge 1 commit into
Conversation
ℹ Artifact update noticeFile name: service/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
📝 WalkthroughWalkthrough
ChangesGo Module Updates
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@service/go.mod`:
- Line 98: The PR description contains inaccurate claims about which CVEs are
fixed by Hugo v0.162.0. The cited CVEs (CVE-2026-50134, CVE-2026-50133,
CVE-2026-50135) are not documented as addressed in the official Hugo v0.162.0
release notes. Update the PR description to remove these unverified CVE
references and instead accurately document the actual security improvements
delivered in v0.162.0: the Go 1.26.3 upgrade (which includes CVE-2026-39826 and
CVE-2026-39823) and Hugo-specific hardening measures (disallowing text/html by
default, enforcing HTTP URL checks on redirects, and rejecting symlinked
entries). Either provide documented evidence linking the originally cited CVEs
to this release or remove them entirely from the PR objectives.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 040f3c92-d5f4-42e2-bdbe-e1adcd5ea9c1
⛔ Files ignored due to path filters (1)
service/go.sumis excluded by!**/*.sum
📒 Files selected for processing (1)
service/go.mod
| github.com/gofrs/flock v0.13.0 // indirect | ||
| github.com/gohugoio/hashstructure v0.6.0 // indirect | ||
| github.com/gohugoio/hugo v0.161.0 // indirect | ||
| github.com/gohugoio/hugo v0.162.0 // indirect |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Hugo v0.162.0 release notes security fixes CVE-2026-50134 CVE-2026-50133 CVE-2026-50135
💡 Result:
The Hugo v0.162.0 release, published on May 26, 2026, does not list CVE-2026-50134, CVE-2026-50133, or CVE-2026-50135 as addressed vulnerabilities [1][2]. The security fixes included in v0.162.0 focus on the following: 1. Go Language Vulnerabilities: Hugo v0.162.0 upgraded from Go 1.26.1 to 1.26.3, which includes patches for CVE-2026-39826 and CVE-2026-39823 (XSS vulnerabilities in html/template) as well as a fix for improper JS template literal context tracking [1][3]. 2. Hugo Security Hardening: The release introduced several security-focused changes to reduce the attack surface, including: - Disallowing text/html content files by default, requiring an opt-in policy via security.allowContent for sites that require it [1][4]. - Enforcing security.http.urls checks on every redirect hop in resources.GetRemote [1][4]. - Rejecting symlinked entries in resources.Get [1][4]. There is no evidence in official Hugo release notes or advisory databases linking Hugo v0.162.0 to CVE-2026-50134, CVE-2026-50133, or CVE-2026-50135 [1][5][6]. Public records indicate that CVE-2026-50133 and CVE-2026-50134 have been associated with other software contexts (such as Linux kernel updates) and are not specific to the Hugo static site generator [7][8].
Citations:
- 1: https://github.com/gohugoio/hugo/releases/tag/v0.162.0
- 2: https://discourse.gohugo.io/t/hugo-v0-162-0-released/57207
- 3: https://newreleases.io/project/github/gohugoio/hugo/release/v0.162.0
- 4: https://go.libhunt.com/hugo-changelog/0.162.0
- 5: https://github.com/advisories
- 6: https://strobes.co/vi/explore/?cursor=eyJzb3J0X3ZhbHVlIjogMCwgImlkIjogIkNWRS0yMDI2LTUwMTcwIn0%3D&page=38
- 7: https://advisories.mageia.org/CVE-2024-50134.html
- 8: https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2025-40256/
Correct Hugo v0.162.0 CVE claims—the cited CVEs are not documented as fixed in this release.
The PR objectives claim Hugo v0.162.0 fixes CVE-2026-50134, CVE-2026-50133, and CVE-2026-50135, but official Hugo v0.162.0 release notes do not list these CVEs as addressed. Actual security fixes in v0.162.0 are: Go 1.26.3 upgrade (including CVE-2026-39826, CVE-2026-39823) and Hugo-specific hardening (disallowing text/html by default, enforcing HTTP URL checks on redirects, rejecting symlinked entries). The cited CVE identifiers appear unrelated to Hugo. Update the PR description to accurately reflect the real security improvements or provide documented evidence linking those CVEs to this release.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@service/go.mod` at line 98, The PR description contains inaccurate claims
about which CVEs are fixed by Hugo v0.162.0. The cited CVEs (CVE-2026-50134,
CVE-2026-50133, CVE-2026-50135) are not documented as addressed in the official
Hugo v0.162.0 release notes. Update the PR description to remove these
unverified CVE references and instead accurately document the actual security
improvements delivered in v0.162.0: the Go 1.26.3 upgrade (which includes
CVE-2026-39826 and CVE-2026-39823) and Hugo-specific hardening measures
(disallowing text/html by default, enforcing HTTP URL checks on redirects, and
rejecting symlinked entries). Either provide documented evidence linking the
originally cited CVEs to this release or remove them entirely from the PR
objectives.
1608a91 to
935791f
Compare
935791f to
bc67c50
Compare
This PR contains the following updates:
v0.161.0->v0.163.3GitHub Vulnerability Alerts
CVE-2026-50133
Commit: e41a06447d — Disallow HTML content by default
Affected versions: all Hugo versions prior to v0.162.0.
Fixed in: v0.162.0.
Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under
/contentand every content adapter you load.Description. Hugo accepts content files in several markup formats. Files mapped to the
text/htmlmedia type (typically.htmlfiles under/content, or pages produced by a content adapter that setscontent.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.Mitigation. v0.162.0 introduces a
security.allowContentwhitelist withtext/htmldenied by default. Sites that intentionally author HTML content can opt back in:This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.
CVE-2026-50134
Commit: 86fbb0f7a8 — security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when
security.http.urlswas introduced) through v0.161.1.Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on
security.http.urlsas a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed toresources.GetRemote.Description.
resources.GetRemoteenforcessecurity.http.urlson the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example,http://localhost/or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.Mitigation. v0.162.0 installs a
CheckRedirecton the HTTP client used byresources.GetRemotethat re-runssecurity.http.urlson every redirect target and caps the redirect chain at 10 hops. No configuration change is required.CVE-2026-50135
Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get
Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected.
Fixed in: v0.162.0.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under
themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups viaresources.Getfollowed symlinks.Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused
RootMappingFs.statRootto callStat(which follows symlinks) instead ofLstat, so a directresources.Get "somefile"wheresomefilewas a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user runninghugo.Mitigation. v0.162.0 calls
LstatIfPossibleand rejects symlinked entries withos.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.GHSA-c3wq-j5vh-68rc
Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected.
Fixed in: v0.163.1.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under
themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups viaresources.Getfollowed symlinks.Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused
RootMappingFs.statRootto callStat(which follows symlinks) instead ofLstat, so a directos.ReadFile "somefile"wheresomefilewas a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user runninghugo.GHSA-q76j-gcg9-vxc6
Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the
<code class="language-…" data-lang="…">wrapper without HTML escaping. A fence info-string containing a quote and a<script>payload breaks out of the attribute and injects a live script element.This is not an issue if you fully trust every file under /content and every content adapter you load.
Hugo: XSS via text/html content files
CVE-2026-50133 / GHSA-c54g-xjwj-8g82 / GO-2026-5313
More information
Details
Commit: e41a06447d — Disallow HTML content by default
Affected versions: all Hugo versions prior to v0.162.0.
Fixed in: v0.162.0.
Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under
/contentand every content adapter you load.Description. Hugo accepts content files in several markup formats. Files mapped to the
text/htmlmedia type (typically.htmlfiles under/content, or pages produced by a content adapter that setscontent.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting.Mitigation. v0.162.0 introduces a
security.allowContentwhitelist withtext/htmldenied by default. Sites that intentionally author HTML content can opt back in:This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hugo: security.http.urls allow-list bypass via HTTP redirects in github.com/gohugoio/hugo
CVE-2026-50134 / GHSA-vxgm-5rmg-5w8g / GO-2026-5681
More information
Details
Hugo: security.http.urls allow-list bypass via HTTP redirects in github.com/gohugoio/hugo
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hugo: XSS via text/html content files in github.com/gohugoio/hugo
CVE-2026-50133 / GHSA-c54g-xjwj-8g82 / GO-2026-5313
More information
Details
Hugo: XSS via text/html content files in github.com/gohugoio/hugo
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hugo: security.http.urls allow-list bypass via HTTP redirects
CVE-2026-50134 / GHSA-vxgm-5rmg-5w8g / GO-2026-5681
More information
Details
Commit: 86fbb0f7a8 — security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when
security.http.urlswas introduced) through v0.161.1.Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on
security.http.urlsas a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed toresources.GetRemote.Description.
resources.GetRemoteenforcessecurity.http.urlson the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example,http://localhost/or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.Mitigation. v0.162.0 installs a
CheckRedirecton the HTTP client used byresources.GetRemotethat re-runssecurity.http.urlson every redirect target and caps the redirect chain at 10 hops. No configuration change is required.Severity
Moderate
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo
CVE-2026-50135 / GHSA-fw87-fv5r-9fpw / GO-2026-5380
More information
Details
Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Hugo: Symlink confinement bypass in resources.Get
CVE-2026-50135 / GHSA-fw87-fv5r-9fpw / GO-2026-5380
More information
Details
Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get
Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected.
Fixed in: v0.162.0.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under
themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups viaresources.Getfollowed symlinks.Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused
RootMappingFs.statRootto callStat(which follows symlinks) instead ofLstat, so a directresources.Get "somefile"wheresomefilewas a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user runninghugo.Mitigation. v0.162.0 calls
LstatIfPossibleand rejects symlinked entries withos.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hugo: Symlink confinement bypass in os.ReadFile
CVE-2026-58403 / GHSA-c3wq-j5vh-68rc
More information
Details
Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected.
Fixed in: v0.163.1.
Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under
themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups viaresources.Getfollowed symlinks.Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused
RootMappingFs.statRootto callStat(which follows symlinks) instead ofLstat, so a directos.ReadFile "somefile"wheresomefilewas a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user runninghugo.Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Hugo: XSS via unescaped code-fence language in default code block renderer
CVE-2026-58402 / GHSA-q76j-gcg9-vxc6
More information
Details
Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the
<code class="language-…" data-lang="…">wrapper without HTML escaping. A fence info-string containing a quote and a<script>payload breaks out of the attribute and injects a live script element.This is not an issue if you fully trust every file under /content and every content adapter you load.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
gohugoio/hugo (github.com/gohugoio/hugo)
v0.163.3Compare Source
What's Changed
ce1a7e0@bep thanks to @k0ngj1 for reporting this issue.70a9068@bep9d66d51@jmooring #15039 #15040 #15043f013346@jmooring #15046v0.163.2Compare Source
What's Changed
134674f@bep #15041147f605@jmooring #14222v0.163.1Compare Source
The majority of the fixes in this release are security related (including the upstream fix in
93c8c7d(golang.org/x/image)). Thanks to @vnth4nhnt for finding the issues fixed ina00b5c7andcf9c8f9(I will do the CVE work on this later). There has been a uptick in security reports lately, which doesn't mean that Hugo has gotten less secure, this is mostly the work of the new and powerful AI tools using Hugo's restrictive security model as their baseline. Just take a look at Go's recent security issue list to see a demonstration of this.What's Changed
93c8c7d@dependabot[bot]95e5e9f@bep #15024a00b5c7@bepcf9c8f9@bep #150192602796@jmooring #15012v0.163.0Compare Source
The main topic in this release is improvements to the AVIF image handling that we introduced in
v0.162.0. See the docs for details, but:qualityfor AVIF to 60. Turns out, JPEG/WebP with quality 75 is comparable to AVIF with quality 60. You can now also set quality per image format in your project config (and also per image processed if needed).hintto the AVIF with the same values as forWEBP. Forlossycompression, the photo/picture hints (and the default) encodes with YUV420 chroma subsampling instead of YUV444, keeping 444 for text/icon/drawing. This greatly reduces the memory needed to encode these images.Improvements
ff2903a@bep #14991 #14996ca68936@jmooring781fabf@bep1d018ef@anupamojha-eng #14999121bc6c@bepcf18b82@bep #1499898ad9b3@bep #14997b89e7fe@bep #11574e8fefc8@bep #14990a043d3e@bep #14992341f575@bep #14987248241b@bep #149814e47d95@bep #1497903b4b54@bep #1497979be053@bep #149830f44046@bep #149774e17421@bep #14985b01ecd4@bep #1495745c00b7@jmooring #14936 #14950 #1496528d882a@bepDependency Updates
0d29fc8@dependabot[bot]bb57404@dependabot[bot]7d1b1fb@dependabot[bot]77a1147@dependabot[bot]v0.162.1Compare Source
What's Changed
59f35cd@jmooring #14959c270975@bep #14958ea8b48a@jmooring #14948v0.162.0Compare Source
The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).
Security fixes
There are some notable security fixes in this release.
Security fixes in Go
This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:
Security fixes and hardening in Hugo
The following changes either fix a concrete issue or reduce the default attack surface of
hugobuilds.text/htmlcontent files by default (e41a064). A newsecurity.allowContentpolicy gates which content media types may be used for pages under/content.text/htmlis denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in withsecurity.allowContent = ['.*'].security.http.urlson every redirect hop inresources.GetRemote(86fbb0f).resources.Get(f8b5fa0).We will update this section later with links to CVEs where applicable.
All changes
df54219@bep #149424bc7cae@bep5d51b82@jmooring #1492181d7762@jmooring #14795 #14906f8b5fa0@bep88d838a@xndvaz #14831e41a064@bep90d9f81@bep #783780e6084@jmooring #14944aeb9a5c@bep #14939c4bbc28@bepd8c7021@jmooring #14932ee4f1ac@bep #14855b613365@bep #11872d2c821b@bep4ed7600@bepcbe4339@bep #149126475d30@bep #14912 #1491767aede4@bep87f194b@bep #14897d81e3c2@bep #148977c65a4d@bepd31a927@bepc36608c@jmooring #149092f361a8@xndvaz #148865559263@jmooring #13869656fc04@bep #14062a20cb5b@bep #148984d775cb@bep #13492ae7bf74@bep #13987ba5d812@bep #12899 #14882be4a0df@bepe4cf565@bep9e64953@xndvaz #13737f0cfc28@xndvaz #1368816e854a@bep86fbb0f@bep #148717d4af7a@xndvaz #712828147cb@bep #14862e51e761@bep #148497011239@bep #14848694906f@cyphercodes #14820d27b9c0@ogulcanaydogan #1406262cef36@bep #14837ff22c62@jmooring #148174f444c8@dependabot[bot]fe6c726@dependabot[bot]6a2a038@dependabot[bot]cf1de59@dependabot[bot]97f990c@dependabot[bot]b99634e@dependabot[bot]fdd977e@dependabot[bot]123018d@dependabot[bot]b88fa8c@bep #14839v0.161.1Compare Source
What's Changed
c4eba92@bep #148288b40a96@bep #14823d65af84@bep #14824454450a@bep #14825Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.