CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-58403

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-06
Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

⚡ Watch CVE-2026-58403

Get an email if CVE-2026-58403 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-58403

CVE.org record

Embed the live status

CVE-2026-58403 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-58403 status](https://www.csirts.com/badge/CVE-2026-58403)](https://www.csirts.com/cve/CVE-2026-58403)