CVE-2026-58403: CWE-59: Improper Link Resolution Before File Access ('Link Following') in gohugoio hugo
A vulnerability in the Hugo static site generator versions from 0.123.0 through 0.163.0 allows symlink traversal due to improper link resolution before file access. This regression caused the system to follow symbolic links when reading files, enabling a symlink inside a mount to access files outside the intended directory tree. The issue is fixed in version 0.163.1.
AI Analysis
Technical Summary
CVE-2026-58403 is a CWE-59 (Improper Link Resolution Before File Access) vulnerability in Hugo's virtual filesystem. Between versions 0.123.0 and 0.163.0, a regression caused the RootMappingFs.statRoot function to call Stat instead of Lstat, resulting in following symbolic links. This allowed an attacker to create a symlink inside a theme or local mount that pointed outside the mount tree, enabling arbitrary file reads accessible by the user running Hugo. The vulnerability is resolved in version 0.163.1.
Potential Impact
An attacker able to place a symlink inside a theme or local mount can read arbitrary files outside the intended directory boundaries, potentially exposing sensitive information accessible to the Hugo process user. This could lead to information disclosure but does not escalate privileges or allow code execution according to the available data.
Mitigation Recommendations
Upgrade to Hugo version 0.163.1 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor advisory indicating the fix in 0.163.1. No other mitigations are specified.
CVE-2026-58403: CWE-59: Improper Link Resolution Before File Access ('Link Following') in gohugoio hugo
Description
A vulnerability in the Hugo static site generator versions from 0.123.0 through 0.163.0 allows symlink traversal due to improper link resolution before file access. This regression caused the system to follow symbolic links when reading files, enabling a symlink inside a mount to access files outside the intended directory tree. The issue is fixed in version 0.163.1.
CVSS v4.0
Score 5.9medium
Affected software
pkg:golang/github.com/gohugoio/hugoRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-58403 is a CWE-59 (Improper Link Resolution Before File Access) vulnerability in Hugo's virtual filesystem. Between versions 0.123.0 and 0.163.0, a regression caused the RootMappingFs.statRoot function to call Stat instead of Lstat, resulting in following symbolic links. This allowed an attacker to create a symlink inside a theme or local mount that pointed outside the mount tree, enabling arbitrary file reads accessible by the user running Hugo. The vulnerability is resolved in version 0.163.1.
Potential Impact
An attacker able to place a symlink inside a theme or local mount can read arbitrary files outside the intended directory boundaries, potentially exposing sensitive information accessible to the Hugo process user. This could lead to information disclosure but does not escalate privileges or allow code execution according to the available data.
Mitigation Recommendations
Upgrade to Hugo version 0.163.1 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor advisory indicating the fix in 0.163.1. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-30T18:19:58.379Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4c076a27e9c7971920cc23
Added to database: 07/06/2026, 19:52:10 UTC
Last enriched: 07/06/2026, 20:06:41 UTC
Last updated: 07/06/2026, 20:11:17 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.