Hugo: XSS via text/html content files
- When
- Where
- Global (internet)
- Category
- cyber_advisory · go
**Commit:** [e41a06447d](https://github.com/gohugoio/hugo/commit/e41a06447d) — _Disallow HTML content by default_ **Affected versions:** all Hugo versions prior to v0.162.0. **Fixed in:** v0.162.0. **Severity:** Low to Medium, depending on threat model. Not an issue if you fully trust every file under `/content` and every content adapter you load. **Description.** Hugo accepts content files in several markup formats. Files mapped to the `text/html` media type (typically `.html` files under `/content`, or pages produced by a content adapter that sets `content.mediaType = "text/html"`) had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source — for example, a CMS-backed editor, a content adapter pulling from an external API, or an automated import pipeline — could therefore be served stored cross-site scripting. **Mitigation.** v0.162.0 introduces a `security.allowContent` whitelist with `text/html` denied by default. Sites that intentionally author HTML content can opt back in: ```toml [security] allowContent = ['.*'] ``` This only affects pages whose source file (or content adapter output) declares an HTML media type; Markdown, AsciiDoc, Org, Pandoc and reStructuredText content is unaffected.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-16 19:22 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.