Vulnerability in Gohugoio Hugo

CVE-2026-50135

Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made  RootMappingFs.statRoot  use  Stat  (follows symlinks) instead of  Lstat , so a direct  resources.Get  of a symlink pointing outside its mount returned the target'…

Affected products

Weakness classification (CWE)

References