CVE-2026-44301: Hugo's Node tool execution allows file system access outside the project directory

May 6, 2026

When building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project’s working directory.

Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected.

References

github.com/advisories/GHSA-x597-9fr4-5857
github.com/gohugoio/hugo
github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857
nvd.nist.gov/vuln/detail/CVE-2026-44301

Code Behaviors & Features

Detect and mitigate CVE-2026-44301 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →