Skip to main content

Hugo CVE-2026-44301

MEDIUM
Path Traversal (CWE-22)
2026-05-06 https://github.com/gohugoio/hugo GHSA-x597-9fr4-5857
6.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 12, 2026 - 22:22 NVD
6.2 (MEDIUM)
Source Code Evidence Fetched
May 06, 2026 - 21:32 vuln.today
Analysis Generated
May 06, 2026 - 21:32 vuln.today
CVE Published
May 06, 2026 - 20:59 nvd
MEDIUM

DescriptionGitHub Advisory

Impact

When building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory.

Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected.

Patches

From v0.161.0, Hugo runs Node tools under Node's permission model with strict defaults: No write access and only read access to the site source directories and files.

Workarounds

Block these tools in security.exec.allow.

AnalysisAI

Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.

Technical ContextAI

Hugo is a static site generator written in Go that supports Node.js-based build tools for asset processing. When a user configures asset pipelines like PostCSS, Babel, or TailwindCSS, Hugo invokes these Node tools as child processes to transpile and optimize CSS and JavaScript. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) - Hugo was not constraining the filesystem access granted to spawned Node processes. Node.js has its own permission model (available via Node's --allow-fs-* flags and related APIs), but Hugo was invoking Node tools without applying these restrictions, allowing Node code (including malicious scripts injected into site configuration or dependencies) to traverse the filesystem and access sensitive files outside the Hugo project directory.

RemediationAI

Upgrade Hugo to v0.161.0 or later immediately if your site uses PostCSS, Babel, TailwindCSS, or similar Node-based asset pipelines. This release enforces Node's permission model, restricting Node tool execution to read-only access to the site source directory with no write access outside the project. As a temporary workaround if immediate upgrading is not possible, block Node tool execution by configuring security.exec.allow in your Hugo config file to deny execution of Node-based tools - consult https://gohugo.io/configuration/security/ for syntax. This workaround disables the affected asset pipeline features but eliminates the exploitation path. Test your site build thoroughly after upgrading to ensure asset pipelines function correctly under the new permission restrictions; if external Node tools require broader filesystem access, review their configuration or vendor for sandboxing alternatives.

Share

CVE-2026-44301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy