PatchSiren

gohugoio CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM gohugoio CVE published 2026-07-06

CVE-2026-50135

A regression in Hugo, a static site generator, from version 0.123.0 to 0.161.1, caused the RootMappingFs.statRoot function to use Stat (which follows symlinks) instead of Lstat. This change allowed a direct resources.Get of a symlink pointing outside its mount to return the target's contents. Consequently, a symlink planted in a local mount, such as a vendored themes/ theme, could be used to read arbitrar [truncated]