Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector and low privileges because the attacker must have write access to a theme directory; high confidentiality impact as arbitrary files readable by the hugo process user can be exfiltrated; no integrity or availability impact confirmed.
Primary rating from Vendor (https://github.com/gohugoio/hugo).
CVSS VectorVendor: https://github.com/gohugoio/hugo
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Commit: f8b5fa09a6 - _Fix prevention of direct symlink reads in resources.Get_ Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory - for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.
Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.
Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.
AnalysisAI
Symlink confinement bypass in Hugo static site generator v0.123.0 through v0.161.1 allows an attacker who can place a symlink inside a locally-mounted directory - such as a vendored theme under themes/ - to read arbitrary files accessible to the user running the hugo build process. The regression in RootMappingFs.statRoot (calling Stat instead of Lstat) defeats the virtual filesystem's mount boundary enforcement specifically for resources.Get direct lookups, while multi-directory walks remained unaffected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker can place a symlink inside a Hugo-mounted directory - specifically a locally-vendored theme directory (e.g., `themes/<name>/assets/`) or any other local directory mounted into the Hugo build. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor rates this Medium severity, which is consistent with the exploitation prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with write access to a locally-vendored Hugo theme creates a symlink such as `themes/mytheme/assets/exfil.txt -> /etc/shadow` inside the theme's assets directory. When the site author runs `hugo` and any template calls `resources.Get "exfil.txt"`, Hugo's `statRoot` silently follows the symlink via `Stat` and returns the target file's contents, which may be rendered into generated HTML output, logged, or otherwise exposed. … |
| Remediation | Upgrade Hugo to v0.162.0 or later, which is the vendor-confirmed fixed release available at https://github.com/gohugoio/hugo/releases/tag/v0.162.0; the specific patch commit is https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41922
GHSA-fw87-fv5r-9fpw