SSRF in Gohugoio Hugo

CVE-2026-50134

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker…

Vulnerability class: SSRF (Server-Side Request Forgery)

Affected products

Weakness classification (CWE)

References