Description
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
Published: 2026-07-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A regression in Hugo between versions 0.123.0 and 0.161.1 caused the internal RootMappingFs.statRoot the contents of a file when the requested path was a symlink that pointed outside its intended mount point. The result is that an attacker who can supply or modify a local theme or other mounted content can read any file accessible to the Hugo process, a classic example of a local file read vulnerability (CWE-59).

Affected Systems

All installations of Hugo from 0.123.0 to 0.161.1 are affected. The flaw is relevant whenever a local mount, such as a vendored theme under themes/, contains a symlink that points to a file outside that directory. The issue is fixed starting with Hugo 0.162.0.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity. No EPSS score is available, so its exploitation probability remains unknown, and it is not listed in CISA's KEV catalog. Exploitation requires the ability to place a sy a capability that exists when developers provide custom or third‑party themes. Once such a symlink is present, a call to resources.Get will expose the target file’s contents to the user running the build process.

Generated by OpenCVE AI on July 7, 2026 at 05:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hugo to version 0.162.0 or later to ensure resources.Get no longer follows symlinks outside the mount root.
  • Review any local theme directories or other mounts for symlinks that point beyond the intended directory tree and remove or adjust them to avoid unintended access.
  • After upgrading, rebuild the site to confirm that the symlink bypass no longer occurs and that all file reads are confined within the expected boundaries.

Generated by OpenCVE AI on July 7, 2026 at 05:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fw87-fv5r-9fpw Hugo: Symlink confinement bypass in resources.Get
History

Tue, 07 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Description Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
Title Hugo: Symlink confinement bypass in resources.Get
Weaknesses CWE-59
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-07T16:57:29.874Z

Reserved: 2026-06-03T18:49:32.275Z

Link: CVE-2026-50135

cve-icon Vulnrichment

Updated: 2026-07-07T16:52:35.316Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:30:04Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')