CVE-2026-58404
Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
| CWE | CWE-918 |
| Vendor | gohugoio |
| Product | hugo |
| Published | Jul 6, 2026 |
| Last Updated | Jul 7, 2026 |
Get instant alerts for gohugoio hugo
Be the first to know when new unknown vulnerabilities affecting gohugoio hugo are published โ delivered to Slack, Telegram or Discord.