Loopback Request Vulnerability in Hugo Static Site Generator
CVE-2026-58404

4.6MEDIUM

Key Information:

Vendor

Gohugoio

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-58404?

The Hugo static site generator contains a security flaw in the default security.http.urls policy for versions 0.162.0 through 0.163.0. The policy is designed to deny requests to loopback, internal, and cloud-metadata IPv4 literals, but it only matches dotted-decimal notation. Consequently, alternate IPv4 encodings, such as integer, hex, or octal formats, can bypass this policy. This vulnerability allows untrusted data through templates to make requests to sensitive internal services during the build process. The issue is addressed in version 0.163.1.

Affected Version(s)

hugo >= v0.162.0, < v0.163.1

References

CVSS V4

Score:
4.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.