Hugo CVE-2026-44301
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
When building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory.
Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected.
Patches
From v0.161.0, Hugo runs Node tools under Node's permission model with strict defaults: No write access and only read access to the site source directories and files.
Workarounds
Block these tools in security.exec.allow.
AnalysisAI
Hugo static site generator versions 0.43.0 through 0.160.x allow unrestricted file system access when building sites with Node-based asset pipelines (PostCSS, Babel, TailwindCSS), enabling arbitrary code execution through these tools to read or write files outside the project directory. The vulnerability affects only users who deploy Node asset pipelines; those building trusted sites or not using these pipelines are unaffected. A vendor-released patch in v0.161.0 enforces Node's permission model with strict filesystem defaults.
Technical ContextAI
Hugo is a static site generator written in Go that supports Node.js-based build tools for asset processing. When a user configures asset pipelines like PostCSS, Babel, or TailwindCSS, Hugo invokes these Node tools as child processes to transpile and optimize CSS and JavaScript. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) - Hugo was not constraining the filesystem access granted to spawned Node processes. Node.js has its own permission model (available via Node's --allow-fs-* flags and related APIs), but Hugo was invoking Node tools without applying these restrictions, allowing Node code (including malicious scripts injected into site configuration or dependencies) to traverse the filesystem and access sensitive files outside the Hugo project directory.
RemediationAI
Upgrade Hugo to v0.161.0 or later immediately if your site uses PostCSS, Babel, TailwindCSS, or similar Node-based asset pipelines. This release enforces Node's permission model, restricting Node tool execution to read-only access to the site source directory with no write access outside the project. As a temporary workaround if immediate upgrading is not possible, block Node tool execution by configuring security.exec.allow in your Hugo config file to deny execution of Node-based tools - consult https://gohugo.io/configuration/security/ for syntax. This workaround disables the affected asset pipeline features but eliminates the exploitation path. Test your site build thoroughly after upgrading to ensure asset pipelines function correctly under the new permission restrictions; if external Node tools require broader filesystem access, review their configuration or vendor for sandboxing alternatives.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x597-9fr4-5857