Lucene search
GoogleOSV:CVE-2020-26284HistoryDec 21, 2020 - 11:15 p.m.
CVE-2020-26284
2020-12-2123:15:12
Google
osv.dev
2
hugo
static site
generator
cve-2020-26284
go
windows
security
upgrade
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go’s os/exec for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH% on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (exe or bat) is found in the current working directory at the time of running hugo, the malicious command will be invoked instead of the system one. Windows users who run hugo inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
Related
nvd
nvd
CVE-2020-26284
2020-12-21 23:15:12
ubuntucve
ubuntucve
CVE-2020-26284
2020-12-21 00:00:00
prion
prion
Design/Logic Flaw
2020-12-21 23:15:00
cvelist
cvelist
github
github
Hugo can execute a binary from the current directory on Windows
2021-06-23 17:28:26
osv
osv
CGA-xqvj-hq58-xgh8
2024-06-06 12:30:03
Hugo can execute a binary from the current directory on Windows
2021-06-23 17:28:26
cve
cve
CVE-2020-26284
2020-12-21 23:15:12
debiancve
debiancve
CVE-2020-26284
2020-12-21 23:15:12
veracode
veracode
Malicious Code Execution
2020-12-22 19:54:46