Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
22 vulnerabilities by gohugoio
CVE-2026-50135 (GCVE-0-2026-50135)
Vulnerability from nvd – Published: 2026-07-06 19:52 – Updated: 2026-07-06 19:52
VLAI
Title
Hugo: Symlink confinement bypass in resources.Get
Summary
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored themes/ theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
Severity
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/f8b5fa09a… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.162.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.162.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made \u00a0RootMappingFs.statRoot\u00a0 use \u00a0Stat\u00a0 (follows symlinks) instead of \u00a0Lstat\u00a0, so a direct \u00a0resources.Get\u00a0 of a symlink pointing outside its mount returned the target\u0027s contents \u2014 letting a symlink planted in a local mount (e.g. a vendored \u00a0themes/\u00a0 theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:52:04.561Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw"
},
{
"name": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"source": {
"advisory": "GHSA-fw87-fv5r-9fpw",
"discovery": "UNKNOWN"
},
"title": "Hugo: Symlink confinement bypass in resources.Get"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50135",
"datePublished": "2026-07-06T19:52:04.561Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-07-06T19:52:04.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58404 (GCVE-0-2026-58404)
Vulnerability from nvd – Published: 2026-07-06 19:16 – Updated: 2026-07-06 19:16
VLAI
Title
Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
Summary
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/pull/15020 | x_refsource_MISC |
| https://github.com/gohugoio/hugo/commit/a00b5c72a… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.163.1 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= v0.162.0, \u003c v0.163.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:16:15.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv"
},
{
"name": "https://github.com/gohugoio/hugo/pull/15020",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/pull/15020"
},
{
"name": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
}
],
"source": {
"advisory": "GHSA-r46f-3rpw-hxrv",
"discovery": "UNKNOWN"
},
"title": "Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58404",
"datePublished": "2026-07-06T19:16:15.945Z",
"dateReserved": "2026-06-30T18:19:58.379Z",
"dateUpdated": "2026-07-06T19:16:15.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58403 (GCVE-0-2026-58403)
Vulnerability from nvd – Published: 2026-07-06 19:25 – Updated: 2026-07-06 20:51
VLAI
Title
Hugo symlink confinement bypass in os.ReadFile
Summary
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/pull/15020 | x_refsource_MISC |
| https://github.com/gohugoio/hugo/commit/cf9c8f93c… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.163.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58403",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T20:51:16.911843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:51:27.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.163.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo\u0027s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile \"somefile\" where somefile was a symlink pointing outside the mount would return the target\u0027s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:25:45.971Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc"
},
{
"name": "https://github.com/gohugoio/hugo/pull/15020",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/pull/15020"
},
{
"name": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
}
],
"source": {
"advisory": "GHSA-c3wq-j5vh-68rc",
"discovery": "UNKNOWN"
},
"title": "Hugo symlink confinement bypass in os.ReadFile"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58403",
"datePublished": "2026-07-06T19:25:45.971Z",
"dateReserved": "2026-06-30T18:19:58.379Z",
"dateUpdated": "2026-07-06T20:51:27.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58402 (GCVE-0-2026-58402)
Vulnerability from nvd – Published: 2026-07-06 19:19 – Updated: 2026-07-06 20:54
VLAI
Title
Hugo default code block renderer XSS via unescaped code-fence language
Summary
Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/pull/15051 | x_refsource_MISC |
| https://github.com/gohugoio/hugo/commit/ce1a7e0bc… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.163.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T20:52:58.622823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:54:38.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.60.0, \u003c 0.163.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo\u0027s default code-block renderer wrote the Markdown code-fence language or info-string into the code class=\"language-\u2026\" data-lang=\"\u2026\" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:19:58.754Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6"
},
{
"name": "https://github.com/gohugoio/hugo/pull/15051",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/pull/15051"
},
{
"name": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3"
}
],
"source": {
"advisory": "GHSA-q76j-gcg9-vxc6",
"discovery": "UNKNOWN"
},
"title": "Hugo default code block renderer XSS via unescaped code-fence language"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58402",
"datePublished": "2026-07-06T19:19:58.754Z",
"dateReserved": "2026-06-30T18:19:58.378Z",
"dateUpdated": "2026-07-06T20:54:38.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50134 (GCVE-0-2026-50134)
Vulnerability from nvd – Published: 2026-07-06 19:42 – Updated: 2026-07-06 19:42
VLAI
Title
Hugo: security.http.urls allow-list bypass via HTTP redirects
Summary
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/86fbb0f7a… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.162.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.91.0, \u003c 0.162.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:42:49.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g"
},
{
"name": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"source": {
"advisory": "GHSA-vxgm-5rmg-5w8g",
"discovery": "UNKNOWN"
},
"title": "Hugo: security.http.urls allow-list bypass via HTTP redirects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50134",
"datePublished": "2026-07-06T19:42:49.280Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-07-06T19:42:49.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50133 (GCVE-0-2026-50133)
Vulnerability from nvd – Published: 2026-07-06 19:31 – Updated: 2026-07-06 19:31
VLAI
Title
Hugo: XSS via text/html content files
Summary
Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/e41a06447… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.162.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003c 0.162.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = \"text/html\") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:31:50.237Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82"
},
{
"name": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"source": {
"advisory": "GHSA-c54g-xjwj-8g82",
"discovery": "UNKNOWN"
},
"title": "Hugo: XSS via text/html content files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50133",
"datePublished": "2026-07-06T19:31:18.386Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-07-06T19:31:50.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44301 (GCVE-0-2026-44301)
Vulnerability from nvd – Published: 2026-05-12 21:37 – Updated: 2026-05-13 12:13
VLAI
Title
Hugo: Node tool execution allows file system access outside the project directory
Summary
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:12:51.322209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:13:13.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.161.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project\u0027s working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:37:52.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857"
}
],
"source": {
"advisory": "GHSA-x597-9fr4-5857",
"discovery": "UNKNOWN"
},
"title": "Hugo: Node tool execution allows file system access outside the project directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44301",
"datePublished": "2026-05-12T21:37:52.825Z",
"dateReserved": "2026-05-05T17:39:31.113Z",
"dateUpdated": "2026-05-13T12:13:13.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35166 (GCVE-0-2026-35166)
Vulnerability from nvd – Published: 2026-04-06 17:37 – Updated: 2026-04-06 18:02
VLAI
Title
Hugo does not properly escape some Markdown links
Summary
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T18:02:26.136376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T18:02:37.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.60.0, \u003c 0.159.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T17:37:05.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg"
}
],
"source": {
"advisory": "GHSA-mcv8-8m8x-48pg",
"discovery": "UNKNOWN"
},
"title": "Hugo does not properly escape some Markdown links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35166",
"datePublished": "2026-04-06T17:37:05.643Z",
"dateReserved": "2026-04-01T17:26:21.133Z",
"dateUpdated": "2026-04-06T18:02:37.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-55601 (GCVE-0-2024-55601)
Vulnerability from nvd – Published: 2024-12-09 21:11 – Updated: 2024-12-10 17:13
VLAI
Title
Hugo does not escape some attributes in internal templates
Summary
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/54398f8d5… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.139.4 | x_refsource_MISC |
| https://gohugo.io/getting-started/configuration-m… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T16:09:30.192956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:13:48.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.139.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T21:11:10.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx"
},
{
"name": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4"
},
{
"name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
"tags": [
"x_refsource_MISC"
],
"url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
}
],
"source": {
"advisory": "GHSA-c2xf-9v2r-r2rx",
"discovery": "UNKNOWN"
},
"title": "Hugo does not escape some attributes in internal templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55601",
"datePublished": "2024-12-09T21:11:10.463Z",
"dateReserved": "2024-12-09T14:22:52.524Z",
"dateUpdated": "2024-12-10T17:13:48.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32875 (GCVE-0-2024-32875)
Vulnerability from nvd – Published: 2024-04-23 20:23 – Updated: 2024-08-02 02:20
VLAI
Title
Hugo doesn't escape markdown title in internal render hooks
Summary
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/releases/tag/v0.125.3 | x_refsource_MISC |
| https://gohugo.io/getting-started/configuration-m… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gohugo:hugo:0.123.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hugo",
"vendor": "gohugo",
"versions": [
{
"lessThan": "0.125.3",
"status": "affected",
"version": "0.123.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T19:39:12.988615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:21.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
},
{
"name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.125.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-23T20:23:42.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
},
{
"name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
"tags": [
"x_refsource_MISC"
],
"url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
}
],
"source": {
"advisory": "GHSA-ppf8-hhpp-f5hj",
"discovery": "UNKNOWN"
},
"title": "Hugo doesn\u0027t escape markdown title in internal render hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32875",
"datePublished": "2024-04-23T20:23:42.535Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-08-02T02:20:35.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26284 (GCVE-0-2020-26284)
Vulnerability from nvd – Published: 2020-12-21 22:40 – Updated: 2024-08-04 15:56
VLAI
Title
Hugo can execute a binary from the current directory on Windows
Summary
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
Severity
7.7 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/golang/go/issues/38736 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/golang/go/issues/38736"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003c 0.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-21T22:40:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/golang/go/issues/38736"
}
],
"source": {
"advisory": "GHSA-8j34-9876-pvfq",
"discovery": "UNKNOWN"
},
"title": "Hugo can execute a binary from the current directory on Windows",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26284",
"STATE": "PUBLIC",
"TITLE": "Hugo can execute a binary from the current directory on Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hugo",
"version": {
"version_data": [
{
"version_value": "\u003c 0.79.1"
}
]
}
}
]
},
"vendor_name": "gohugoio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq",
"refsource": "CONFIRM",
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
},
{
"name": "https://github.com/golang/go/issues/38736",
"refsource": "MISC",
"url": "https://github.com/golang/go/issues/38736"
}
]
},
"source": {
"advisory": "GHSA-8j34-9876-pvfq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26284",
"datePublished": "2020-12-21T22:40:15.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-50135 (GCVE-0-2026-50135)
Vulnerability from cvelistv5 – Published: 2026-07-06 19:52 – Updated: 2026-07-06 19:52
VLAI
Title
Hugo: Symlink confinement bypass in resources.Get
Summary
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat (follows symlinks) instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored themes/ theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.
Severity
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/f8b5fa09a… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.162.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.162.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made \u00a0RootMappingFs.statRoot\u00a0 use \u00a0Stat\u00a0 (follows symlinks) instead of \u00a0Lstat\u00a0, so a direct \u00a0resources.Get\u00a0 of a symlink pointing outside its mount returned the target\u0027s contents \u2014 letting a symlink planted in a local mount (e.g. a vendored \u00a0themes/\u00a0 theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:52:04.561Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw"
},
{
"name": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"source": {
"advisory": "GHSA-fw87-fv5r-9fpw",
"discovery": "UNKNOWN"
},
"title": "Hugo: Symlink confinement bypass in resources.Get"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50135",
"datePublished": "2026-07-06T19:52:04.561Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-07-06T19:52:04.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50134 (GCVE-0-2026-50134)
Vulnerability from cvelistv5 – Published: 2026-07-06 19:42 – Updated: 2026-07-06 19:42
VLAI
Title
Hugo: security.http.urls allow-list bypass via HTTP redirects
Summary
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/86fbb0f7a… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.162.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.91.0, \u003c 0.162.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:42:49.280Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g"
},
{
"name": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"source": {
"advisory": "GHSA-vxgm-5rmg-5w8g",
"discovery": "UNKNOWN"
},
"title": "Hugo: security.http.urls allow-list bypass via HTTP redirects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50134",
"datePublished": "2026-07-06T19:42:49.280Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-07-06T19:42:49.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-50133 (GCVE-0-2026-50133)
Vulnerability from cvelistv5 – Published: 2026-07-06 19:31 – Updated: 2026-07-06 19:31
VLAI
Title
Hugo: XSS via text/html content files
Summary
Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0.
Severity
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/e41a06447… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.162.0 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003c 0.162.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type (typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = \"text/html\") had their body emitted verbatim into the rendered page. A site that ingests HTML content from an untrusted source could therefore be served stored cross-site scripting. This vulnerability is fixed in 0.162.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:31:50.237Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c54g-xjwj-8g82"
},
{
"name": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/e41a06447daa3071a01f333fdcec0a5153c3c8d1"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
}
],
"source": {
"advisory": "GHSA-c54g-xjwj-8g82",
"discovery": "UNKNOWN"
},
"title": "Hugo: XSS via text/html content files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-50133",
"datePublished": "2026-07-06T19:31:18.386Z",
"dateReserved": "2026-06-03T18:49:32.275Z",
"dateUpdated": "2026-07-06T19:31:50.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58403 (GCVE-0-2026-58403)
Vulnerability from cvelistv5 – Published: 2026-07-06 19:25 – Updated: 2026-07-06 20:51
VLAI
Title
Hugo symlink confinement bypass in os.ReadFile
Summary
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/pull/15020 | x_refsource_MISC |
| https://github.com/gohugoio/hugo/commit/cf9c8f93c… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.163.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58403",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T20:51:16.911843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:51:27.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.163.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo\u0027s virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile \"somefile\" where somefile was a symlink pointing outside the mount would return the target\u0027s contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:25:45.971Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c3wq-j5vh-68rc"
},
{
"name": "https://github.com/gohugoio/hugo/pull/15020",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/pull/15020"
},
{
"name": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/cf9c8f93ca2a2838ce378f9e36d052ac2f79e229"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
}
],
"source": {
"advisory": "GHSA-c3wq-j5vh-68rc",
"discovery": "UNKNOWN"
},
"title": "Hugo symlink confinement bypass in os.ReadFile"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58403",
"datePublished": "2026-07-06T19:25:45.971Z",
"dateReserved": "2026-06-30T18:19:58.379Z",
"dateUpdated": "2026-07-06T20:51:27.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58402 (GCVE-0-2026-58402)
Vulnerability from cvelistv5 – Published: 2026-07-06 19:19 – Updated: 2026-07-06 20:54
VLAI
Title
Hugo default code block renderer XSS via unescaped code-fence language
Summary
Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's default code-block renderer wrote the Markdown code-fence language or info-string into the code class="language-…" data-lang="…" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/pull/15051 | x_refsource_MISC |
| https://github.com/gohugoio/hugo/commit/ce1a7e0bc… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.163.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-58402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T20:52:58.622823Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T20:54:38.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.60.0, \u003c 0.163.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo\u0027s default code-block renderer wrote the Markdown code-fence language or info-string into the code class=\"language-\u2026\" data-lang=\"\u2026\" wrapper without HTML escaping. A fence info-string containing a quote and a script payload breaks out of the attribute and injects a live script element. This issue is fixed in 0.163.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:19:58.754Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-q76j-gcg9-vxc6"
},
{
"name": "https://github.com/gohugoio/hugo/pull/15051",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/pull/15051"
},
{
"name": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/ce1a7e0bce3713af40496ded3c2c0ceeed49231d"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.3"
}
],
"source": {
"advisory": "GHSA-q76j-gcg9-vxc6",
"discovery": "UNKNOWN"
},
"title": "Hugo default code block renderer XSS via unescaped code-fence language"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58402",
"datePublished": "2026-07-06T19:19:58.754Z",
"dateReserved": "2026-06-30T18:19:58.378Z",
"dateUpdated": "2026-07-06T20:54:38.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-58404 (GCVE-0-2026-58404)
Vulnerability from cvelistv5 – Published: 2026-07-06 19:16 – Updated: 2026-07-06 19:16
VLAI
Title
Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings
Summary
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/pull/15020 | x_refsource_MISC |
| https://github.com/gohugoio/hugo/commit/a00b5c72a… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.163.1 | x_refsource_MISC |
{
"containers": {
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= v0.162.0, \u003c v0.163.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:16:15.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv"
},
{
"name": "https://github.com/gohugoio/hugo/pull/15020",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/pull/15020"
},
{
"name": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/a00b5c72ac57afe26df6688ece3ca544a56df372"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.163.1"
}
],
"source": {
"advisory": "GHSA-r46f-3rpw-hxrv",
"discovery": "UNKNOWN"
},
"title": "Hugo security.http.urls deny rules bypassed by alternate IPv4 encodings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-58404",
"datePublished": "2026-07-06T19:16:15.945Z",
"dateReserved": "2026-06-30T18:19:58.379Z",
"dateUpdated": "2026-07-06T19:16:15.945Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-44301 (GCVE-0-2026-44301)
Vulnerability from cvelistv5 – Published: 2026-05-12 21:37 – Updated: 2026-05-13 12:13
VLAI
Title
Hugo: Node tool execution allows file system access outside the project directory
Summary
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:12:51.322209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:13:13.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.43.0, \u003c 0.161.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project\u0027s working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:37:52.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857"
}
],
"source": {
"advisory": "GHSA-x597-9fr4-5857",
"discovery": "UNKNOWN"
},
"title": "Hugo: Node tool execution allows file system access outside the project directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44301",
"datePublished": "2026-05-12T21:37:52.825Z",
"dateReserved": "2026-05-05T17:39:31.113Z",
"dateUpdated": "2026-05-13T12:13:13.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35166 (GCVE-0-2026-35166)
Vulnerability from cvelistv5 – Published: 2026-04-06 17:37 – Updated: 2026-04-06 18:02
VLAI
Title
Hugo does not properly escape some Markdown links
Summary
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T18:02:26.136376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T18:02:37.432Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.60.0, \u003c 0.159.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T17:37:05.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-mcv8-8m8x-48pg"
}
],
"source": {
"advisory": "GHSA-mcv8-8m8x-48pg",
"discovery": "UNKNOWN"
},
"title": "Hugo does not properly escape some Markdown links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35166",
"datePublished": "2026-04-06T17:37:05.643Z",
"dateReserved": "2026-04-01T17:26:21.133Z",
"dateUpdated": "2026-04-06T18:02:37.432Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-55601 (GCVE-0-2024-55601)
Vulnerability from cvelistv5 – Published: 2024-12-09 21:11 – Updated: 2024-12-10 17:13
VLAI
Title
Hugo does not escape some attributes in internal templates
Summary
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/commit/54398f8d5… | x_refsource_MISC |
| https://github.com/gohugoio/hugo/releases/tag/v0.139.4 | x_refsource_MISC |
| https://gohugo.io/getting-started/configuration-m… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T16:09:30.192956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:13:48.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.139.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T21:11:10.463Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx"
},
{
"name": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.139.4"
},
{
"name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
"tags": [
"x_refsource_MISC"
],
"url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
}
],
"source": {
"advisory": "GHSA-c2xf-9v2r-r2rx",
"discovery": "UNKNOWN"
},
"title": "Hugo does not escape some attributes in internal templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55601",
"datePublished": "2024-12-09T21:11:10.463Z",
"dateReserved": "2024-12-09T14:22:52.524Z",
"dateUpdated": "2024-12-10T17:13:48.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32875 (GCVE-0-2024-32875)
Vulnerability from cvelistv5 – Published: 2024-04-23 20:23 – Updated: 2024-08-02 02:20
VLAI
Title
Hugo doesn't escape markdown title in internal render hooks
Summary
Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/gohugoio/hugo/releases/tag/v0.125.3 | x_refsource_MISC |
| https://gohugo.io/getting-started/configuration-m… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gohugo:hugo:0.123.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hugo",
"vendor": "gohugo",
"versions": [
{
"lessThan": "0.125.3",
"status": "affected",
"version": "0.123.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T19:39:12.988615Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:51:21.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:35.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
},
{
"name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.123.0, \u003c 0.125.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-23T20:23:42.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-ppf8-hhpp-f5hj"
},
{
"name": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gohugoio/hugo/releases/tag/v0.125.3"
},
{
"name": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault",
"tags": [
"x_refsource_MISC"
],
"url": "https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault"
}
],
"source": {
"advisory": "GHSA-ppf8-hhpp-f5hj",
"discovery": "UNKNOWN"
},
"title": "Hugo doesn\u0027t escape markdown title in internal render hooks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32875",
"datePublished": "2024-04-23T20:23:42.535Z",
"dateReserved": "2024-04-19T14:07:11.229Z",
"dateUpdated": "2024-08-02T02:20:35.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26284 (GCVE-0-2020-26284)
Vulnerability from cvelistv5 – Published: 2020-12-21 22:40 – Updated: 2024-08-04 15:56
VLAI
Title
Hugo can execute a binary from the current directory on Windows
Summary
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
Severity
7.7 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gohugoio/hugo/security/advisor… | x_refsource_CONFIRM |
| https://github.com/golang/go/issues/38736 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:03.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/golang/go/issues/38736"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "hugo",
"vendor": "gohugoio",
"versions": [
{
"status": "affected",
"version": "\u003c 0.79.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-21T22:40:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/golang/go/issues/38736"
}
],
"source": {
"advisory": "GHSA-8j34-9876-pvfq",
"discovery": "UNKNOWN"
},
"title": "Hugo can execute a binary from the current directory on Windows",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26284",
"STATE": "PUBLIC",
"TITLE": "Hugo can execute a binary from the current directory on Windows"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "hugo",
"version": {
"version_data": [
{
"version_value": "\u003c 0.79.1"
}
]
}
}
]
},
"vendor_name": "gohugoio"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go\u0027s `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq",
"refsource": "CONFIRM",
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"
},
{
"name": "https://github.com/golang/go/issues/38736",
"refsource": "MISC",
"url": "https://github.com/golang/go/issues/38736"
}
]
},
"source": {
"advisory": "GHSA-8j34-9876-pvfq",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26284",
"datePublished": "2020-12-21T22:40:15.000Z",
"dateReserved": "2020-10-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T15:56:03.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}