Description
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
Published: 2026-07-06
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

From version 0.123.0 through 0.163.0, Hugo's virtual filesystem was intended to prevent files within a mount from accessing files outside that mount tree. A regression caused the RootMappingFs.statRoot function to call Stat, which follows symbolic links, instead of Lstat. As a result, a call to os.ReadFile on a symlink that points to a file outside the mount returned the contents of the target file. This allows a user running Hugo to read any file reachable by the build process, such as configuration files or credentials.

Affected Systems

The vulnerability impacts the Hugo static site generator released by gohugoio. It affects all versions from 0.123.0 up to and including 0.163.0. The issue is fixed in release 0.163.1 and later.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score of < 1% points to a very low but non-zero exploitation probability, and the vulnerability is not listed in CISA KEV. The flaw is exploitable only in a local context where the build process has write access to the mount tree and the attacker can place a symlink that points outside the mount. An attacker would need to supply a malicious theme or content with such a symlink, then run Hugo to read arbitrary files that the process can access.

Generated by OpenCVE AI on July 7, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Hugo to version 0.163.1 or later.
  • Remove or replace any symlink that points outside the mount tree before invoking Hugo.
  • Scan theme and content directories for unintended symlinks and delete them.

Generated by OpenCVE AI on July 7, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Gohugo
Gohugo hugo
Vendors & Products Gohugo
Gohugo hugo

Mon, 06 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
Title Hugo symlink confinement bypass in os.ReadFile
Weaknesses CWE-59
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-06T20:51:27.624Z

Reserved: 2026-06-30T18:19:58.379Z

Link: CVE-2026-58403

cve-icon Vulnrichment

Updated: 2026-07-06T20:51:24.283Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T17:30:17Z

Weaknesses
  • CWE-59

    Improper Link Resolution Before File Access ('Link Following')