Source: hugo Version: 0.162.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for hugo. CVE-2026-58402[0]: | Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's | default code-block renderer wrote the Markdown code-fence language | or info-string into the code class="language-…" data-lang="…" | wrapper without HTML escaping. A fence info-string containing a | quote and a script payload breaks out of the attribute and injects a | live script element. This issue is fixed in 0.163.3. CVE-2026-58403[1]: | Hugo is a static site generator. From v0.123.0 through v0.163.0, | Hugo's virtual filesystem is designed so that files under a mount | cannot reach outside the mount tree, but a regression caused | RootMappingFs.statRoot to call Stat, which follows symlinks, instead | of Lstat, so a direct os.ReadFile "somefile" where somefile was a | symlink pointing outside the mount would return the target's | contents. This effectively let a symlink planted inside a theme or | local mount read arbitrary files reachable to the user running hugo. | This issue is fixed in v0.163.1. CVE-2026-58404[2]: | Hugo is a static site generator. From v0.162.0 through v0.163.0, the | default security.http.urls policy denies requests to loopback, | internal, and cloud-metadata IPv4 literals, but the deny rule only | matched dotted-decimal notation, so alternate IPv4 encodings of the | same addresses, including integer, hex, or octal, passed the policy. | When a template passes an untrusted or data-derived URL to | resources.GetRemote and the host platform uses the cgo system | resolver, these encodings resolve to the blocked address, allowing | build-time server-side requests to loopback and internal services, | including the cloud-metadata endpoint in hosted or CI builds; the | same check is reused on redirects, so the gap also applies to each | redirect hop. This issue is fixed in v0.163.1. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-58402 https://www.cve.org/CVERecord?id=CVE-2026-58402 [1] https://security-tracker.debian.org/tracker/CVE-2026-58403 https://www.cve.org/CVERecord?id=CVE-2026-58403 [2] https://security-tracker.debian.org/tracker/CVE-2026-58404 https://www.cve.org/CVERecord?id=CVE-2026-58404 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

