Hugo FS Symlink Traversal (v0.123.0v0.163.0)
CVE-2026-58403 Published on July 6, 2026

Hugo symlink confinement bypass in os.ReadFile
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

NVD

Weakness Type

What is an insecure temporary file Vulnerability?

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CVE-2026-58403 has been classified to as an insecure temporary file vulnerability or weakness.


Affected Versions

gohugoio hugo Version >= 0.123.0, < 0.163.1 is affected by CVE-2026-58403