PatchSiren cyber security CVE debrief
CVE-2026-44301 Gohugo CVE debrief
CVE-2026-44301 is a medium-severity Hugo vulnerability affecting versions 0.43 through before 0.161.0. When Hugo builds sites that use Node-based asset pipelines such as PostCSS, Babel, or TailwindCSS, it could invoke those tools without restricting filesystem access. If an attacker can influence the site being built, code running through those tools may be able to read or write files outside the project’s working directory. The issue is fixed in Hugo 0.161.0.
- Vendor
- Gohugo
- Product
- Hugo
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-21
Who should care
Hugo users and platform teams who build untrusted or externally supplied sites, especially if their build process uses PostCSS, Babel, or TailwindCSS. CI/CD operators and developers who run Hugo in shared or sensitive environments should also pay attention.
Technical summary
According to the vendor advisory referenced by NVD, Hugo versions from 0.43 up to but not including 0.161.0 could execute configured Node-based tooling without filesystem restrictions during site builds. The affected pipeline paths include PostCSS, Babel, and TailwindCSS integrations. NVD maps the issue to CWE-22 and records vulnerable CPE coverage for gohugo:hugo in the affected version range. The practical impact is that building an untrusted site may allow tool-executed code to access files beyond the site’s working directory. Users who do not use these Node-based tools, or who only build trusted sites, are not affected.
Defensive priority
Medium. Prioritize remediation if Hugo is used to build untrusted content or if build jobs run with access to sensitive files, secrets, or shared workspaces.
Recommended defensive actions
- Upgrade Hugo to version 0.161.0 or later.
- Review build pipelines that use PostCSS, Babel, or TailwindCSS with Hugo and confirm they are running the fixed version.
- Treat site content and build inputs as untrusted when Hugo processes externally supplied projects.
- Run builds in a sandboxed or least-privilege environment with restricted filesystem access.
- Audit CI/CD runners, containers, and workspaces to ensure secrets and sensitive files are not exposed to the build process.
Evidence notes
This debrief is based on the official CVE record, NVD entry, and the linked GitHub security advisory. The CVE description states the affected range is 0.43 to before 0.161.0 and that the issue arises when Hugo invokes Node-based asset tools such as PostCSS, Babel, and TailwindCSS without filesystem restrictions. NVD marks the vulnerability as analyzed, cites CWE-22, and links the vendor advisory. CVE publishedAt and sourcePublishedAt are 2026-05-12T22:16:36.843Z; modifiedAt and sourceModifiedAt are 2026-05-21T20:21:56.627Z.
Official resources
-
CVE-2026-44301 CVE record
CVE.org
-
CVE-2026-44301 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
CVE published on 2026-05-12T22:16:36.843Z and last modified on 2026-05-21T20:21:56.627Z. NVD references the linked GitHub security advisory as the vendor advisory and mitigation source.