6 matches found
GO-2026-5380 Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo
Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo...
CVE-2026-50135
Summary: Hugo up to v0.161.1 is affected by a symlink confinement bypass in the virtual filesystem used by Hugo’s resources.Get. Root cause: A regression in RootMappingFs.statRoot caused it to call Stat (which follows symlinks) instead of Lstat, allowing a symlink inside a mounted directory (e.g....
CVE-2026-50135 Hugo: Symlink confinement bypass in resources.Get
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...
CVE-2026-58403
Hugo (static site generator) vulnerable from v0.123.0 through v0.163.0. A regression in RootMappingFs.statRoot caused it to call Stat (which follows symlinks) instead of Lstat, enabling os.ReadFile on a symlink to read the target file outside the mount. This could let a symlink inside a theme or ...
GHSA-FW87-FV5R-9FPW Hugo: Symlink confinement bypass in resources.Get
Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mount...
Hugo: Symlink confinement bypass in resources.Get
Commit: f8b5fa09a6 — Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mount...