Symlink Handling Vulnerability in Hugo Static Site Generator by GoHugoIO
CVE-2026-50135

6.9MEDIUM

Key Information:

Vendor

Gohugoio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-50135?

A vulnerability exists in the Hugo static site generator that affects versions 0.123.0 through 0.161.1. The issue arises from a regression that causes the RootMappingFs.statRoot function to use Stat instead of Lstat. This oversight allows a direct resources.Get call on a symlink that points outside its designated mount to unintentionally expose the contents of the target file. As a result, an attacker could exploit this mechanism by placing a symlink within a mounted directory (such as a vendored themes/theme) to read arbitrary files accessible to the user running Hugo. This vulnerability does not impact Go-module themes from GitHub or directory walks. Hugo has addressed this issue in version 0.162.0, and users are strongly advised to upgrade to this version or later to mitigate any potential security risks.

Affected Version(s)

hugo >= 0.123.0, < 0.162.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.