Source: hugo
Version: 0.162.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for hugo.

CVE-2026-58402[0]:
| Hugo is a static site generator. From 0.60.0 until 0.163.3, Hugo's
| default code-block renderer wrote the Markdown code-fence language
| or info-string into the code class="language-…" data-lang="…"
| wrapper without HTML escaping. A fence info-string containing a
| quote and a script payload breaks out of the attribute and injects a
| live script element. This issue is fixed in 0.163.3.


CVE-2026-58403[1]:
| Hugo is a static site generator. From v0.123.0 through v0.163.0,
| Hugo's virtual filesystem is designed so that files under a mount
| cannot reach outside the mount tree, but a regression caused
| RootMappingFs.statRoot to call Stat, which follows symlinks, instead
| of Lstat, so a direct os.ReadFile "somefile" where somefile was a
| symlink pointing outside the mount would return the target's
| contents. This effectively let a symlink planted inside a theme or
| local mount read arbitrary files reachable to the user running hugo.
| This issue is fixed in v0.163.1.


CVE-2026-58404[2]:
| Hugo is a static site generator. From v0.162.0 through v0.163.0, the
| default security.http.urls policy denies requests to loopback,
| internal, and cloud-metadata IPv4 literals, but the deny rule only
| matched dotted-decimal notation, so alternate IPv4 encodings of the
| same addresses, including integer, hex, or octal, passed the policy.
| When a template passes an untrusted or data-derived URL to
| resources.GetRemote and the host platform uses the cgo system
| resolver, these encodings resolve to the blocked address, allowing
| build-time server-side requests to loopback and internal services,
| including the cloud-metadata endpoint in hosted or CI builds; the
| same check is reused on redirects, so the gap also applies to each
| redirect hop. This issue is fixed in v0.163.1.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-58402
    https://www.cve.org/CVERecord?id=CVE-2026-58402
[1] https://security-tracker.debian.org/tracker/CVE-2026-58403
    https://www.cve.org/CVERecord?id=CVE-2026-58403
[2] https://security-tracker.debian.org/tracker/CVE-2026-58404
    https://www.cve.org/CVERecord?id=CVE-2026-58404

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to