Symlink Vulnerability in Hugo Static Site Generator from GoHugoIO
CVE-2026-58403

5.9MEDIUM

Key Information:

Vendor

Gohugoio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-58403?

A vulnerability in the Hugo static site generator affects versions 0.123.0 through 0.163.0, allowing a symlink planted inside a theme or local mount to access arbitrary files. The issue arose due to a regression where RootMappingFs.statRoot erroneously used Stat instead of Lstat. This mistake enabled direct calls to os.ReadFile for symlinks pointing outside the intended mount, compromising file access restrictions intended to isolate filesystem operations. The vulnerability was corrected in version 0.163.1.

Affected Version(s)

hugo >= 0.123.0, < 0.163.1

References

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.