UBUNTU-CVE-2026-44301

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-44301

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-44301

Upstream

CVE-2026-44301

Published

2026-05-12T22:16:00Z

Modified

2026-05-25T09:30:13.541259037Z

Severity

6.2 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.

References

Affected packages

Ubuntu:16.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.15+git20160109.147.dd1d655-1

0.15+git20160109.147.dd1d655-2

0.15+git20160128.179.5def6d9-1

0.15+git20160206.203.ed23711-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-spf13-hugo-dev",
            "binary_version": "0.15+git20160206.203.ed23711-1"
        },
        {
            "binary_name": "hugo",
            "binary_version": "0.15+git20160206.203.ed23711-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"

Ubuntu:18.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.25.1-2

0.26-1

0.35-1

0.37.1-1

0.38-1

0.39-1

0.40-1

0.40.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-gohugoio-hugo-dev",
            "binary_version": "0.40.1-1"
        },
        {
            "binary_name": "hugo",
            "binary_version": "0.40.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"

Ubuntu:20.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.57.2-1

0.58.3-1

0.59.1-1.1

0.68.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.68.3-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"

Ubuntu:22.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.80.0-6

0.89.4-2

0.90.0-1

0.90.1-1

0.91.0-1

0.91.2-1

0.92.0-1

0.92.1-1build1

0.92.2-1

0.92.2-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.92.2-1ubuntu0.1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"

Ubuntu:25.10

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.131.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.131.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"

Ubuntu:26.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.131.0-1

0.152.2-1

0.153.1-3

0.153.2-1

0.154.2-2

0.154.3-1

0.154.5-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.154.5-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"

Ubuntu:Pro:24.04:LTS

hugo

Package

Name: hugo
Purl: pkg:deb/ubuntu/hugo?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.113.0-3

0.119.0-2

0.120.3-1

0.120.4-1

0.121.2-1

0.122.0-1

0.123.7-1build1

0.123.7-1ubuntu0.1

0.123.7-1ubuntu0.2

0.123.7-1ubuntu0.2+esm1

0.123.7-1ubuntu0.3

0.123.7-1ubuntu0.3+esm1

0.123.7-1ubuntu0.3+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.123.7-1ubuntu0.3+esm2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44301.json"