CVE-2026-58403
Received Received - Intake

Symlink Arbitrary File Read in Hugo Static Site Generator

Vulnerability report for CVE-2026-58403, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
hugo hugo From 0.123.0 (inc) to 0.163.0 (inc)
hugo hugo 0.163.1
gohugoio hugo From 0.123.0 (inc) to 0.163.0 (inc)
gohugoio hugo 0.163.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58403 is a vulnerability in the Hugo static site generator versions 0.123.0 through 0.163.0. The issue arises because Hugo's virtual filesystem was designed to prevent files under a mount from accessing files outside the mount tree. However, a regression caused the function RootMappingFs.statRoot to call Stat instead of Lstat, and Stat follows symlinks. This means that if a symlink inside a mounted directory points outside the mount, Hugo's os.ReadFile function would follow the symlink and return the contents of the target file outside the mount.

An attacker could exploit this by planting a symlink inside a theme or local mount directory that points to arbitrary files accessible to the user running Hugo, thereby reading sensitive files outside the intended directory structure.

This vulnerability was fixed in Hugo version 0.163.1 by introducing a DropSymlinksFs wrapper that treats symlinks as non-existent files in various filesystem operations, preventing symlink traversal.

Impact Analysis

This vulnerability can impact you by allowing an attacker to read arbitrary files on the system that are accessible to the user running Hugo. If an attacker can place a symlink inside a mounted directory (such as a theme or local mount), they can bypass the intended filesystem restrictions and access sensitive files outside the mount.

The exposure of arbitrary files could lead to leakage of sensitive information, such as configuration files, credentials, or other private data, depending on what files are accessible to the Hugo process user.

Detection Guidance

This vulnerability involves symlink handling in Hugo's virtual filesystem, where symlinks inside mounts can point outside and allow reading arbitrary files. Detection involves checking for symlinks inside mounted directories used by Hugo, such as themes or local mounts.

You can detect potentially malicious symlinks by scanning the Hugo project directories for symlinks that point outside the intended mount tree.

  • Use the command `find /path/to/hugo/project/themes -type l -exec ls -l {} \;` to list all symlinks in the themes directory.
  • For each symlink found, verify if the target path is outside the expected mount directory using `readlink -f <symlink>` and checking if it points outside the mount.

Additionally, monitoring Hugo versions in use and ensuring they are updated to v0.163.1 or later can help detect if the vulnerable version is running.

Mitigation Strategies

The primary mitigation step is to upgrade Hugo to version 0.163.1 or later, where the vulnerability is fixed.

The fix involves a new filesystem wrapper that drops symlinks during file operations such as os.ReadDir, os.ReadFile, os.Stat, and os.FileExists, preventing symlink traversal attacks.

Until the upgrade can be applied, avoid using untrusted themes or local mounts that may contain malicious symlinks.

Review and remove any suspicious symlinks inside mounted directories that could point outside the mount tree.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart