Symlink Vulnerability in Hugo Static Site Generator from GoHugoIO
CVE-2026-58403
5.9MEDIUM
What is CVE-2026-58403?
A vulnerability in the Hugo static site generator affects versions 0.123.0 through 0.163.0, allowing a symlink planted inside a theme or local mount to access arbitrary files. The issue arose due to a regression where RootMappingFs.statRoot erroneously used Stat instead of Lstat. This mistake enabled direct calls to os.ReadFile for symlinks pointing outside the intended mount, compromising file access restrictions intended to isolate filesystem operations. The vulnerability was corrected in version 0.163.1.
Affected Version(s)
hugo >= 0.123.0, < 0.163.1
