A vulnerability described as problematic has been identified in gohugoio Hugo up to 0.163.0. The affected element is the function
statRoot of the file fs/rootmappingfs.go of the component Virtual Filesystem. Such manipulation of the argument somefile leads to symlink following.
This vulnerability is traded as CVE-2026-58403. An attack has to be approached locally. There is no exploit available.