๐Ÿ” CVE Alert

CVE-2026-58404

UNKNOWN 0.0

Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings

CVSS Score
0.0
EPSS Score
0.2%
EPSS Percentile
16th

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.

CWE CWE-918
Vendor gohugoio
Product hugo
Published Jul 6, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for gohugoio hugo

Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

gohugoio / hugo
>= v0.162.0, < v0.163.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv github.com: https://github.com/gohugoio/hugo/pull/15020 github.com: https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372 github.com: https://github.com/gohugoio/hugo/releases/tag/v0.163.1