Loopback Request Vulnerability in Hugo Static Site Generator
CVE-2026-58404
4.6MEDIUM
What is CVE-2026-58404?
The Hugo static site generator contains a security flaw in the default security.http.urls policy for versions 0.162.0 through 0.163.0. The policy is designed to deny requests to loopback, internal, and cloud-metadata IPv4 literals, but it only matches dotted-decimal notation. Consequently, alternate IPv4 encodings, such as integer, hex, or octal formats, can bypass this policy. This vulnerability allows untrusted data through templates to make requests to sensitive internal services during the build process. The issue is addressed in version 0.163.1.
Affected Version(s)
hugo >= v0.162.0, < v0.163.1
