gohugoio/hugo v0.162.0

on GitHub

The notable new feature in this release is support for AVIF images (both encoder and decoder). There's a demo site set up that demonstrates the difference between HDR AVIF and SDR JPEG images. Note that that demo is only really interesting if viewed on an HDR capable screen (e.g. Apple Retina).

Security fixes

There are some notable security fixes in this release.

Security fixes in Go

This release upgrades from Go 1.26.1 to 126.3, which brings a set of security fixes. Some relevant for Hugo are:

• XSS in html/template (CVE-2026-39826 & CVE-2026-39823): Two separate vulnerabilities where escaper bypasses in html/template could lead to Cross-Site Scripting (XSS).
• html/template: Fixes an issue where JS template literal contexts were incorrectly tracked across template branches, which could lead to improper content escaping.

Security fixes and hardening in Hugo

The following changes either fix a concrete issue or reduce the default attack surface of hugo builds.

• Disallow text/html content files by default (e41a064). A new security.allowContent policy gates which content media types may be used for pages under /content. text/html is denied by default; sites that rely on hand-authored or adapter-emitted HTML content can opt back in with security.allowContent = ['.*'].
• Re-check security.http.urls on every redirect hop in resources.GetRemote (86fbb0f).
• Reject symlinked entries in resources.Get (f8b5fa0).

We will update this section later with links to CVEs where applicable.

All changes

• hugolib: Fix Page.GitInfo for modules with go.mod in a repo subdirectory df54219 @bep #14942
• Fix typo in CONTRIBUTING.md 4bc7cae @bep
• resources: Fix the :counter placeholder 5d51b82 @jmooring #14921
• commands: Fix import from Jekyll 81d7762 @jmooring #14795 #14906
• Fix prevention of direct symlink reads in resources.Get f8b5fa0 @bep
• commands: Fix github-dark chromastyles 88d838a @xndvaz #14831
• Disallow HTML content by default e41a064 @bep
• Add image processing support for AVIF 90d9f81 @bep #7837
• config: Preserve intentionally empty maps 80e6084 @jmooring #14944
• hugolib: Merge existing hugo_stats.json when renderSegments is set aeb9a5c @bep #14939
• all: Replace RWMutex struct caches with ConcurrentMap c4bbc28 @bep
• tpl/tplimpl: Consolidate and improve embedded template integration tests d8c7021 @jmooring #14932
• parser: Drop empty sub maps from hugo config output ee4f1ac @bep #14855
• markup/highlight: Allow overriding type and code via options b613365 @bep #11872
• Update AI assistance disclosure requirements d2c821b @bep
• hugolib: Use AllTranslated in IsTranslated 4ed7600 @bep
• tpl: Simplify sitemap template cbe4339 @bep #14912
• tpl: Use AllTranslations in sitemap template 6475d30 @bep #14912 #14917
• tpl/collections: Make dict return nil when no values are provided 67aede4 @bep
• Sync Go template package to 1.26.3 87f194b @bep #14897
• Upgrade to Go 1.26.3 d81e3c2 @bep #14897
• ci: Check embedded template formatting with gotmplfmt 7c65a4d @bep
• tpl: Run gotmplfmt -w . d31a927 @bep
• markup/goldmark/codeblocks: Always split Chroma options into .Options c36608c @jmooring #14909
• hugolib: Allow empty params front matter 2f361a8 @xndvaz #14886
• common/hmaps: Merge slice-valued module config into site config 5559263 @jmooring #13869
• tpl: Use GetMatch for both local and global image resources 656fc04 @bep #14062
• Revert "markup/tableofcontents: Skip empty TOC levels" a20cb5b @bep #14898
• tpl/templates: Reject Defer inside partialCached 4d775cb @bep #13492
• common/hexec: Make NODE_PATH a fallback for ESM bare imports ae7bf74 @bep #13987
• config: Allow repeating the root key in /config files ba5d812 @bep #12899 #14882
• Revise test naming guidelines in AGENTS.md be4a0df @bep
• Update AGENTS.md e4cf565 @bep
• js: Return error for missing batch imports 9e64953 @xndvaz #13737
• resources/images: Keep smart crop target size f0cfc28 @xndvaz #13688
• testing: Use synctest where relevant 16e854a @bep
• security: Validate redirects against security.http.urls 86fbb0f @bep #14871
• markup/tableofcontents: Skip empty TOC levels 7d4af7a @xndvaz #7128
• Fall back to hugo.buildDate in hugo.BuildDate() in non-vcs builds 28147cb @bep #14862
• css: Make css.Build's file-loader URLs absolute to web context root e51e761 @bep #14849
• hugolib: Don't warn about lang/kind/path coming from cascade.params 7011239 @bep #14848
• markup/goldmark: Unwrap inner HTML for plain code blocks 694906f @cyphercodes #14820
• tpl/tplimpl: Extend page image lookup to include global resources d27b9c0 @ogulcanaydogan #14062
• security: Allow hostnames starting with digits in default http.urls 62cef36 @bep #14837
• commands: Improve description of command flags ff22c62 @jmooring #14817
• build(deps): bump golang.org/x/net from 0.54.0 to 0.55.0 4f444c8 @dependabot[bot]
• build(deps): bump golang.org/x/image from 0.40.0 to 0.41.0 fe6c726 @dependabot[bot]
• build(deps): bump github.com/getkin/kin-openapi from 0.137.0 to 0.138.0 6a2a038 @dependabot[bot]
• build(deps): bump github.com/JohannesKaufmann/html-to-markdown/v2 cf1de59 @dependabot[bot]
• build(deps): bump golang.org/x/image from 0.39.0 to 0.40.0 97f990c @dependabot[bot]
• build(deps): bump golang.org/x/tools from 0.44.0 to 0.45.0 b99634e @dependabot[bot]
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 fdd977e @dependabot[bot]
• build(deps): bump github.com/pelletier/go-toml/v2 from 2.3.0 to 2.3.1 123018d @dependabot[bot]
• deps: Upgrade to Chroma v2.24.1 b88fa8c @bep #14839