Lucene search
K

16 matches found

Tenable Nessus
Tenable Nessus
added 2026/07/07 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-50134

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not...

6.3CVSS6.1AI score0.00249EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/07/07 12:0 a.m.12 views

Linux Distros Unpatched Vulnerability : CVE-2026-58404

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata...

6.8CVSS6.1AI score0.00208EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 9:16 p.m.5 views

DEBIAN-CVE-2026-50135

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

5.5CVSS5.9AI score0.00275EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 9:16 p.m.7 views

CVE-2026-50135

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

6.9CVSS0.00275EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 8:16 p.m.5 views

DEBIAN-CVE-2026-50133

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html" had their body emitted verbatim...

6.1CVSS5.4AI score0.00187EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 8:16 p.m.7 views

CVE-2026-50134

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server or an attacker controlling its DNS or response could therefore redirect t...

6.3CVSS0.00249EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/07/06 7:52 p.m.7 views

CVE-2026-50135

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

6.9CVSS5.9AI score0.00275EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/06 7:42 p.m.36 views

CVE-2026-50134 Hugo: security.http.urls allow-list bypass via HTTP redirects

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server or an attacker controlling its DNS or response could therefore redirect t...

6.3CVSS0.00249EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:42 p.m.6 views

CVE-2026-50134

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server or an attacker controlling its DNS or response could therefore redirect t...

6.3CVSS5.9AI score0.00249EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/07/06 7:31 p.m.5 views

CVE-2026-50133 Hugo: XSS via text/html content files

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html" had their body emitted verbatim...

5.1CVSS5.5AI score0.00187EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/07/06 7:31 p.m.5 views

CVE-2026-50133

Hugo is a static site generator. Prior to 0.162.0, Hugo accepts content files in several markup formats. Files mapped to the text/html media type typically .html files under /content, or pages produced by a content adapter that sets content.mediaType = "text/html" had their body emitted verbatim...

5.1CVSS5.4AI score0.00187EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/07/06 7:31 p.m.24 views

CVE-2026-50133

CVE-2026-50133 affects Hugo, a static site generator. The issue: before v0.162.0, content files mapped to text/html (e.g., HTML under /content or via adapters setting content.mediaType = "text/html") had their body emitted verbatim, enabling stored cross-site scripting if untrusted HTML content i...

6.1CVSS5.4AI score0.00187EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/06/16 8:12 p.m.6 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the resources.Get function. An attacker can access arbitrary files outside the intended directory by placing a symlink inside a mounted directory that points to files outside the mount. This is only exploitable if the...

6.9CVSS5.9AI score0.00275EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 8:12 p.m.6 views

GHSA-FW87-FV5R-9FPW Hugo: Symlink confinement bypass in resources.Get

Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mount...

6.9CVSS5.6AI score0.00275EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/16 7:22 p.m.22 views

Hugo: security.http.urls allow-list bypass via HTTP redirects

Commit: 86fbb0f7a8 — security: Validate redirects against security.http.urls Affected versions: v0.91.0 when security.http.urls was introduced through v0.161.1. Fixed in: v0.162.0. Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch...

6.3CVSS5.5AI score0.00249EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/16 7:22 p.m.11 views

Hugo: XSS via text/html content files

Commit: e41a06447d — Disallow HTML content by default Affected versions: all Hugo versions prior to v0.162.0. Fixed in: v0.162.0. Severity: Low to Medium, depending on threat model. Not an issue if you fully trust every file under /content and every content adapter you load. Description. Hugo...

6.1CVSS5.1AI score0.00187EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder