PatchSiren cyber security CVE debrief
CVE-2026-58403 gohugoio CVE debrief
CVE-2026-58403 is a MEDIUM severity vulnerability in Hugo's virtual filesystem. A regression in Hugo versions from v0.123.0 through v0.163.0 allowed a symlink planted inside a theme or local mount to read arbitrary files reachable to the user running Hugo. This issue is fixed in v0.163.1. The vulnerability was caused by a regression that led to RootMappingFs.statRoot calling Stat, which follows symlinks, instead of Lstat. This allowed an attacker to potentially read sensitive files by creating a symlink to those files.
- Vendor
- gohugoio
- Product
- hugo
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Hugo static site generator, especially those using versions between v0.123.0 and v0.163.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.163.1 or later and reviewing access controls for sensitive files and directories.
Technical summary
The vulnerability in Hugo's virtual filesystem allows an attacker to read arbitrary files by creating a symlink inside a theme or local mount. This is due to a regression that caused RootMappingFs.statRoot to call Stat instead of Lstat, which follows symlinks. An attacker could exploit this by creating a symlink pointing to a sensitive file, allowing them to read the file's contents. The issue has been fixed in version 0.163.1 of Hugo.
Defensive priority
Medium
Recommended defensive actions
- Update Hugo to version 0.163.1 or later
- Review and restrict access to sensitive files and directories
- Monitor for suspicious activity and implement logging and auditing
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-06T20:16:38.173Z and last modified on 2026-07-07T13:57:07.790Z. The NVD entry is currently Undergoing Analysis. This information is based on the provided source corpus. Further verification is recommended to confirm the accuracy of this information.
Official resources
-
CVE-2026-58403 CVE record
CVE.org
-
CVE-2026-58403 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:38.173Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.