{"id":"GO-2026-5380","summary":"Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo","details":"Hugo: Symlink confinement bypass in resources.Get in github.com/gohugoio/hugo","aliases":["CVE-2026-50135","GHSA-fw87-fv5r-9fpw"],"modified":"2026-07-07T20:30:13.601174193Z","published":"2026-07-07T16:52:19Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-5380","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-fw87-fv5r-9fpw"},{"type":"FIX","url":"https://github.com/gohugoio/hugo/commit/f8b5fa09a64950c32b803821ede411ebfe772b7a"},{"type":"WEB","url":"https://github.com/gohugoio/hugo/releases/tag/v0.162.0"}],"affected":[{"package":{"name":"github.com/gohugoio/hugo","ecosystem":"Go","purl":"pkg:golang/github.com/gohugoio/hugo"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.123.0"},{"fixed":"0.162.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/gohugoio/hugo/hugofs","symbols":["FileMeta.Open","FileMeta.ReadAll","RootMappingFs.Open","RootMappingFs.Stat","RootMappingFs.statRoot","rootMappingDir.ReadDir","rootMappingDir.Readdirnames"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5380.json"}}],"schema_version":"1.7.5"}