Skip to main content

Hugo CVE-2026-58403

| EUVDEUVD-2026-41907 MEDIUM
Improper Link Resolution Before File Access (CWE-59)
2026-07-06 GitHub_M
5.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

AT:P (symlink must be pre-planted) maps to AC:H; UI:A to UI:R; no integrity or availability impact applies.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 21:16 EUVD
Analysis Generated
Jul 06, 2026 - 20:08 vuln.today

DescriptionCVE.org

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

AnalysisAI

Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise or supply malicious theme repository
Delivery
Plant symlink targeting sensitive file outside mount
Exploit
Developer or CI runs hugo build with malicious theme
Install
RootMappingFs.statRoot calls Stat instead of Lstat
C2
Mount boundary bypassed, target file read by hugo
Execute
Sensitive file contents embedded in site output
Impact
Attacker retrieves exposed data from build artifacts

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker-controlled symlink to exist inside a Hugo theme directory or a locally configured mount at the time hugo processes it - meaning the attacker must have already compromised the theme source, the local filesystem, or the supply chain before the build runs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.9 (AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) captures the tension between high confidentiality impact and meaningful exploitation prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a Hugo theme repository (via supply-chain compromise, typosquatting, or a malicious PR) plants a symlink inside the theme directory tree - for example, credentials.txt pointing to /home/user/.ssh/id_rsa or a CI environment file. When a developer or automated pipeline runs hugo build against that theme on an affected version, the Lstat regression causes hugo to read and embed the symlink target's contents into the generated site output, potentially exposing secrets to anyone with access to the built artifacts. …
Remediation Upgrade Hugo to v0.163.1 or later, available at https://github.com/gohugoio/hugo/releases/tag/v0.163.1, which restores the correct Lstat call and re-establishes the filesystem sandbox. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy