๐Ÿ” CVE Alert

CVE-2026-58403

UNKNOWN 0.0

Hugo symlink confinement bypass in os.ReadFile

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

CWE CWE-59
Vendor gohugoio
Product hugo
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for gohugoio hugo

Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

gohugoio / hugo
>= 0.123.0, < 0.163.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc github.com: https://github.com/gohugoio/hugo/pull/15020 github.com: https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229 github.com: https://github.com/gohugoio/hugo/releases/tag/v0.163.1