PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50135 gohugoio CVE debrief

A regression in Hugo, a static site generator, from version 0.123.0 to 0.161.1, caused the RootMappingFs.statRoot function to use Stat (which follows symlinks) instead of Lstat. This change allowed a direct resources.Get of a symlink pointing outside its mount to return the target's contents. Consequently, a symlink planted in a local mount, such as a vendored themes/ theme, could be used to read arbitrary files accessible to the Hugo user. This issue was fixed in version 0.162.0.

Vendor
gohugoio
Product
hugo
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Hugo static site generator, particularly those using versions between 0.123.0 and 0.161.1, should be aware of this vulnerability. Developers and administrators who manage websites generated with Hugo should assess their exposure and take necessary actions to protect against potential exploitation.

Technical summary

The vulnerability in Hugo arises from a regression introduced in version 0.123.0 and persisting until version 0.161.1. This regression causes the RootMappingFs.statRoot function to incorrectly use Stat instead of Lstat when handling file system operations. As a result, when a resources.Get operation is performed on a symlink that points outside its mount, the function returns the contents of the target file instead of the symlink itself. An attacker could exploit this by creating a symlink in a local mount (for example, in a vendored themes/ directory) that points to an arbitrary file accessible to the Hugo user. Upon accessing the symlink through a resources.Get operation, the contents of the target file would be returned, potentially allowing for unauthorized file reading.

Defensive priority

Medium priority should be given to addressing this vulnerability, especially for environments where Hugo is used in a context that could expose sensitive files or where an attacker might be able to plant symlinks.

Recommended defensive actions

  • Upgrade to Hugo version 0.162.0 or later to fix the vulnerability.
  • Review and audit existing Hugo projects, especially those using affected versions, for potential symlinks that could be exploited.
  • Implement monitoring to detect any suspicious use of resources.Get operations in Hugo projects.
  • Consider restricting access to sensitive files and directories to limit potential damage from exploitation.
  • Regularly update and patch Hugo installations to protect against known vulnerabilities.

Evidence notes

The CVE record was published on 2026-07-06T21:16:56.347Z and was last modified on 2026-07-07T18:16:39.033Z. The NVD entry is currently Undergoing Analysis. The vulnerability was fixed in Hugo version 0.162.0. Limited information is available about the specific exploits or attacks related to this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:56.347Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.