CVE-2026-50135
Received Received - Intake

Path Traversal in Hugo Static Site Generator

Vulnerability report for CVE-2026-50135, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount (e.g. a vendored  themes/  theme) read arbitrary files accessible to the Hugo user. Go-module themes from GitHub (symlinks stripped) and directory walks were unaffected. Fixed in 0.162.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hugo hugo From 0.123.0 (inc) to 0.161.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, upgrade Hugo to version 0.162.0 or later, where the issue has been fixed.

Avoid using vulnerable versions from 0.123.0 to 0.161.1, as they contain a regression that allows reading arbitrary files via symlinks.

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files on the system where Hugo is running, as long as those files are accessible to the Hugo user. By planting a malicious symlink in a local mount, such as a vendored theme directory, the attacker can cause Hugo to follow the symlink and expose the contents of files outside the intended scope. This can lead to unauthorized disclosure of sensitive information.

Executive Summary

This vulnerability affects Hugo, a static site generator, in versions from 0.123.0 to 0.161.1. Due to a regression, the function RootMappingFs.statRoot used Stat (which follows symlinks) instead of Lstat. This caused a direct resources.Get call on a symlink pointing outside its mount to return the contents of the target file. As a result, a symlink planted in a local mount, such as a vendored themes/ directory, could be used to read arbitrary files accessible to the Hugo user. This issue was fixed in version 0.162.0.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart