Hugo
Monthly
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.
Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.
Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.
Hugo is a fast and Flexible Static Site Generator built in Go. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local mount to escape the mount sandbox and return the contents of arbitrary files accessible to the OS user running the hugo build. A regression in RootMappingFs.statRoot introduced a Stat call where Lstat was required, silently resolving symlinks that cross mount boundaries. No public exploit code or CISA KEV listing exists; the issue is fixed in v0.163.1.
Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrary JavaScript into generated static pages. Hugo versions 0.60.0 through 0.163.2 write the code-fence info-string (language identifier) directly into HTML attribute values without escaping, so a crafted info-string containing a quote character and script payload breaks out of the attribute context. No public exploit or KEV listing exists at time of analysis; the CVSS 4.0 score of 5.1 reflects the requirement for prior write access and victim interaction.
Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the `security.http.urls` IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking `resources.GetRemote` with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the fix is available in v0.163.1.
Hugo is a fast and Flexible Static Site Generator built in Go. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. Public exploit code available.