Symlink Handling Vulnerability in Hugo Static Site Generator by GoHugoIO
CVE-2026-50135
What is CVE-2026-50135?
A vulnerability exists in the Hugo static site generator that affects versions 0.123.0 through 0.161.1. The issue arises from a regression that causes the RootMappingFs.statRoot function to use Stat instead of Lstat. This oversight allows a direct resources.Get call on a symlink that points outside its designated mount to unintentionally expose the contents of the target file. As a result, an attacker could exploit this mechanism by placing a symlink within a mounted directory (such as a vendored themes/theme) to read arbitrary files accessible to the user running Hugo. This vulnerability does not impact Go-module themes from GitHub or directory walks. Hugo has addressed this issue in version 0.162.0, and users are strongly advised to upgrade to this version or later to mitigate any potential security risks.
Affected Version(s)
hugo >= 0.123.0, < 0.162.0
