UBUNTU-CVE-2026-58403

Source
https://ubuntu.com/security/CVE-2026-58403
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-58403
Upstream
Published
2026-07-06T20:16:00Z
Modified
2026-07-09T17:17:14.305837805Z
Severity
  • 5.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Hugo is a static site generator. From v0.123.0 through v0.163.0, Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree, but a regression caused RootMappingFs.statRoot to call Stat, which follows symlinks, instead of Lstat, so a direct os.ReadFile "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo. This issue is fixed in v0.163.1.

References

Affected packages

Ubuntu:16.04:LTS
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.15+git20160109.147.dd1d655-1
0.15+git20160109.147.dd1d655-2
0.15+git20160128.179.5def6d9-1
0.15+git20160206.203.ed23711-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-spf13-hugo-dev",
            "binary_version": "0.15+git20160206.203.ed23711-1"
        },
        {
            "binary_name": "hugo",
            "binary_version": "0.15+git20160206.203.ed23711-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"
Ubuntu:18.04:LTS
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.25.1-2
0.26-1
0.35-1
0.37.1-1
0.38-1
0.39-1
0.40-1
0.40.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-gohugoio-hugo-dev",
            "binary_version": "0.40.1-1"
        },
        {
            "binary_name": "hugo",
            "binary_version": "0.40.1-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"
Ubuntu:20.04:LTS
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.57.2-1
0.58.3-1
0.59.1-1.1
0.68.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.68.3-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"
Ubuntu:22.04:LTS
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.80.0-6
0.89.4-2
0.90.0-1
0.90.1-1
0.91.0-1
0.91.2-1
0.92.0-1
0.92.1-1build1
0.92.2-1
0.92.2-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.92.2-1ubuntu0.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"
Ubuntu:25.10
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.131.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.131.0-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"
Ubuntu:26.04:LTS
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.131.0-1
0.152.2-1
0.153.1-3
0.153.2-1
0.154.2-2
0.154.3-1
0.154.5-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.154.5-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"
Ubuntu:Pro:24.04:LTS
hugo

Package

Name
hugo
Purl
pkg:deb/ubuntu/hugo?arch=source&distro=esm-apps%2Fnoble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.113.0-3
0.119.0-2
0.120.3-1
0.120.4-1
0.121.2-1
0.122.0-1
0.123.7-1build1
0.123.7-1ubuntu0.1
0.123.7-1ubuntu0.2
0.123.7-1ubuntu0.2+esm1
0.123.7-1ubuntu0.3
0.123.7-1ubuntu0.3+esm1
0.123.7-1ubuntu0.3+esm2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "hugo",
            "binary_version": "0.123.7-1ubuntu0.3+esm2"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-58403.json"