Arbitrary Code Execution Affecting github.com/gohugoio/hugo package, versions <0.79.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOHUGOIOHUGO-1314358
- published 24 Jun 2021
- disclosed 23 Jun 2021
- credit Unknown
Introduced: 23 Jun 2021
CVE-2020-26284 Open this link in a new tabHow to fix?
Upgrade github.com/gohugoio/hugo
to version 0.79.1 or higher.
Overview
github.com/gohugoio/hugo is a The world’s fastest framework for building websites.
Affected versions of this package are vulnerable to Arbitrary Code Execution. Hugo can execute a binary from the current directory on Windows. Hugo depends on Go's os/exec
for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH%
on Windows. However, if a malicious file with the same name (exe
or bat
) is found in the current working directory at the time of running hugo
, the malicious command will be invoked instead of the system one.
Windows users who run hugo
inside untrusted Hugo sites are affected.