Skip to main content

Hugo

4 CVEs product

Monthly

CVE-2026-58403 Go MEDIUM PATCH This Month

Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.

Information Disclosure Hugo
NVD GitHub
CVSS 4.0
5.9
EPSS
0.4%
CVE-2026-58402 Go MEDIUM PATCH This Month

Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.

XSS Hugo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-58404 Go MEDIUM PATCH This Month

Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.

SSRF Hugo
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2020-26284 Go HIGH POC PATCH This Week

Hugo is a fast and Flexible Static Site Generator built in Go. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Microsoft Command Injection Hugo
NVD GitHub
CVSS 3.1
8.5
EPSS
1.5%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.

Information Disclosure Hugo
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.

XSS Hugo
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.

SSRF Hugo
NVD GitHub VulDB
EPSS 1% CVSS 8.5
HIGH POC PATCH This Week

Hugo is a fast and Flexible Static Site Generator built in Go. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.

Microsoft Command Injection Hugo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy