Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector and low privileges because the attacker must have write access to a theme directory; high confidentiality impact as arbitrary files readable by the hugo process user can be exfiltrated; no integrity or availability impact confirmed.
Primary rating from Vendor (https://github.com/gohugoio/hugo).
CVSS VectorVendor: https://github.com/gohugoio/hugo
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Commit: f8b5fa09a6 - _Fix prevention of direct symlink reads in resources.Get_ Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory - for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.
Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.
Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.
AnalysisAI
Symlink confinement bypass in Hugo static site generator v0.123.0 through v0.161.1 allows an attacker who can place a symlink inside a locally-mounted directory - such as a vendored theme under themes/ - to read arbitrary files accessible to the user running the hugo build process. The regression in RootMappingFs.statRoot (calling Stat instead of Lstat) defeats the virtual filesystem's mount boundary enforcement specifically for resources.Get direct lookups, while multi-directory walks remained unaffected. No public exploit is identified at time of analysis, but the patch commit and regression test scripts are publicly available on GitHub; the vulnerability is not in CISA KEV.
Technical ContextAI
Hugo implements a virtual filesystem abstraction (RootMappingFs) using the afero library to enforce mount boundaries, ensuring that file access under a mount point cannot traverse outside the designated tree - analogous to a chroot jail at the application layer. CWE-59 (Improper Link Resolution Before File Access, commonly 'link following') is the root cause class: the application resolves a symbolic link to its target before verifying the resolved path remains within the intended directory. The regression introduced in v0.123.0 changed statRoot in hugofs/rootmapping_fs.go to call fs.Fs.Stat(filename), which follows symlinks transparently in POSIX semantics, rather than LstatIfPossible, which returns metadata about the symlink itself and allows the caller to detect and reject it. The fix in v0.162.0 adds an explicit fi.Mode()&os.ModeSymlink != 0 check and returns os.ErrNotExist for symlinked entries, matching the behavior of directory-walking code paths and pre-v0.123.0 releases. The affected Go package is pkg:go/github.com_gohugoio_hugo, versions >= 0.123.0 and < 0.162.0.
RemediationAI
Upgrade Hugo to v0.162.0 or later, which is the vendor-confirmed fixed release available at https://github.com/gohugoio/hugo/releases/tag/v0.162.0; the specific patch commit is https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a. Where an immediate upgrade is not possible, audit all locally-vendored theme directories and mounted paths for symlinks pointing outside the mount tree using a command such as find themes/ -type l -ls and remove any discovered; this eliminates the attack vector without code changes but must be repeated each time theme contents change. Migrating locally-vendored themes to Go module sources fetched from GitHub also eliminates the vector because symlinks are stripped at download time, though this may restrict local theme development workflows. There are no other confirmed workarounds; generic filesystem ACLs restricting write access to theme directories reduce risk but do not constitute a complete mitigation if any contributor can add files.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41922
GHSA-fw87-fv5r-9fpw