Lucene search
K

6 matches found

Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-50135 Hugo: Symlink confinement bypass in resources.Get

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...

6.9CVSS0.00359EPSS
Exploits0References3
CVE
CVE
added 3 days ago13 views

CVE-2026-50135

Summary: Hugo up to v0.161.1 is affected by a symlink confinement bypass in the virtual filesystem used by Hugo’s resources.Get. Root cause: A regression in RootMappingFs.statRoot caused it to call Stat (which follows symlinks) instead of Lstat, allowing a symlink inside a mounted directory (e.g....

6.9CVSS5.9AI score0.00359EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/06/19 5:45 p.m.8 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the os.ReadFile function during direct lookups via resources.Get. An attacker can access arbitrary files outside the intended directory by placing a symlink inside a mounted directory that points to files outside the...

6.5CVSS6AI score0.00318EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/16 8:12 p.m.9 views

Hugo: Symlink confinement bypass in resources.Get

Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mount...

6.9CVSS5.6AI score0.00359EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/16 8:12 p.m.4 views

GHSA-FW87-FV5R-9FPW Hugo: Symlink confinement bypass in resources.Get

Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mount...

6.9CVSS5.6AI score0.00359EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.13 views

PT-2026-50158

Name of the Vulnerable Software and Affected Versions Hugo versions 0.123.0 through 0.161.1 Description A regression in the virtual filesystem allows a symlink confinement bypass. The RootMappingFs.statRoot function calls Stat, which follows symlinks, instead of Lstat. This allows a direct lookup...

6.9CVSS6AI score0.00359EPSS
Exploits0References8
Rows per page
Query Builder