PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58403 gohugoio CVE debrief

CVE-2026-58403 is a MEDIUM severity vulnerability in Hugo's virtual filesystem. A regression in Hugo versions from v0.123.0 through v0.163.0 allowed a symlink planted inside a theme or local mount to read arbitrary files reachable to the user running Hugo. This issue is fixed in v0.163.1. The vulnerability was caused by a regression that led to RootMappingFs.statRoot calling Stat, which follows symlinks, instead of Lstat. This allowed an attacker to potentially read sensitive files by creating a symlink to those files.

Vendor
gohugoio
Product
hugo
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Hugo static site generator, especially those using versions between v0.123.0 and v0.163.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.163.1 or later and reviewing access controls for sensitive files and directories.

Technical summary

The vulnerability in Hugo's virtual filesystem allows an attacker to read arbitrary files by creating a symlink inside a theme or local mount. This is due to a regression that caused RootMappingFs.statRoot to call Stat instead of Lstat, which follows symlinks. An attacker could exploit this by creating a symlink pointing to a sensitive file, allowing them to read the file's contents. The issue has been fixed in version 0.163.1 of Hugo.

Defensive priority

Medium

Recommended defensive actions

  • Update Hugo to version 0.163.1 or later
  • Review and restrict access to sensitive files and directories
  • Monitor for suspicious activity and implement logging and auditing
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-06T20:16:38.173Z and last modified on 2026-07-07T13:57:07.790Z. The NVD entry is currently Undergoing Analysis. This information is based on the provided source corpus. Further verification is recommended to confirm the accuracy of this information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T20:16:38.173Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.