Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AT:P (symlink must be pre-planted) maps to AC:H; UI:A to UI:R; no integrity or availability impact applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
AnalysisAI
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an attacker-controlled symlink to exist inside a Hugo theme directory or a locally configured mount at the time hugo processes it - meaning the attacker must have already compromised the theme source, the local filesystem, or the supply chain before the build runs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 5.9 (AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) captures the tension between high confidentiality impact and meaningful exploitation prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a Hugo theme repository (via supply-chain compromise, typosquatting, or a malicious PR) plants a symlink inside the theme directory tree - for example, credentials.txt pointing to /home/user/.ssh/id_rsa or a CI environment file. When a developer or automated pipeline runs hugo build against that theme on an affected version, the Lstat regression causes hugo to read and embed the symlink target's contents into the generated site output, potentially exposing secrets to anyone with access to the built artifacts. … |
| Remediation | Upgrade Hugo to v0.163.1 or later, available at https://github.com/gohugoio/hugo/releases/tag/v0.163.1, which restores the correct Lstat call and re-establishes the filesystem sandbox. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Hugo is a fast and Flexible Static Site Generator built in Go. Rated high severity (CVSS 8.5), this vulnerability is rem
Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrar
Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block pol
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41907