Skip to main content

Hugo CVE-2026-50135

| EUVDEUVD-2026-41922 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-06-16 https://github.com/gohugoio/hugo GHSA-fw87-fv5r-9fpw
6.9
CVSS 4.0 · Vendor: https://github.com/gohugoio/hugo
Share

Severity by source

Vendor (https://github.com/gohugoio/hugo) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local vector and low privileges because the attacker must have write access to a theme directory; high confidentiality impact as arbitrary files readable by the hugo process user can be exfiltrated; no integrity or availability impact confirmed.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (https://github.com/gohugoio/hugo).

CVSS VectorVendor: https://github.com/gohugoio/hugo

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jul 06, 2026 - 21:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
Jun 16, 2026 - 20:51 vuln.today
Analysis Generated
Jun 16, 2026 - 20:51 vuln.today

DescriptionCVE.org

Commit: f8b5fa09a6 - _Fix prevention of direct symlink reads in resources.Get_ Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory - for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.

AnalysisAI

Symlink confinement bypass in Hugo static site generator v0.123.0 through v0.161.1 allows an attacker who can place a symlink inside a locally-mounted directory - such as a vendored theme under themes/ - to read arbitrary files accessible to the user running the hugo build process. The regression in RootMappingFs.statRoot (calling Stat instead of Lstat) defeats the virtual filesystem's mount boundary enforcement specifically for resources.Get direct lookups, while multi-directory walks remained unaffected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain write access to local theme assets directory
Delivery
Plant symlink pointing outside mount (e.g., themes/mytheme/assets/steal.txt
Exploit
/etc/passwd)
Install
Site author runs hugo build
C2
resources.Get resolves symlink via Stat, bypassing mount boundary check
Execute
Target file contents returned to template engine
Impact
Sensitive file contents rendered into generated site output or logged

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can place a symlink inside a Hugo-mounted directory - specifically a locally-vendored theme directory (e.g., `themes/<name>/assets/`) or any other local directory mounted into the Hugo build. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor rates this Medium severity, which is consistent with the exploitation prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to a locally-vendored Hugo theme creates a symlink such as `themes/mytheme/assets/exfil.txt -> /etc/shadow` inside the theme's assets directory. When the site author runs `hugo` and any template calls `resources.Get "exfil.txt"`, Hugo's `statRoot` silently follows the symlink via `Stat` and returns the target file's contents, which may be rendered into generated HTML output, logged, or otherwise exposed. …
Remediation Upgrade Hugo to v0.162.0 or later, which is the vendor-confirmed fixed release available at https://github.com/gohugoio/hugo/releases/tag/v0.162.0; the specific patch commit is https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-50135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy