Hugo v0.163.1: Security Fixes and Bug Patches

Hugo · 18 Jun 2026 · 1 min read

#hugo

Hugo v0.163.1 Security Release

Hugo v0.163.1 is a security-focused release that patches several vulnerabilities discovered by contributor @vnth4nhnt. The update addresses critical security concerns while also resolving a few bugs.

Security Updates

  • Upstream fix: Applied a patch in golang.org/x/image via a Dependabot pull request.
  • Normalized IPv4 host encodings: Enhanced the http.urls security check to handle integer IPv4 host formats.
  • Removed symlink support: The functions os.ReadDir, os.ReadFile, os.Stat, and os.FileExists no longer follow symbolic links, preventing symlink-based attacks.

Bug Fixes

  • Merge behavior with --renderSegments flag: Fixed an issue where site rendering with the --renderSegments flag behaved incorrectly (issue #15024).
  • convert command: Resolved a problem in the convert command (issue #15012).

Team Commentary

The Hugo team notes that while the number of security reports has increased, this is largely attributed to AI tools testing Hugo's restrictive security model, not a decline in Hugo's security posture. Developers are strongly encouraged to upgrade to maintain a secure static site build environment.

Source: https://github.com/gohugoio/hugo/releases/tag/v0.163.1

Source: https://github.com/gohugoio/hugo/releases/tag/v0.163.1

Related

auto-curated · source linked above ← all news