SSRF in Gohugoio Hugo

CVE-2026-58404

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alte…

Vulnerability class: SSRF (Server-Side Request Forgery)

Affected products

Weakness classification (CWE)

References