A vulnerability, which was classified as problematic, was found in gohugoio Hugo up to 0.161.1. This affects the function statRoot of the component File System Access. Such manipulation leads to symlink following.

This vulnerability is uniquely identified as CVE-2026-50135. Local access is required to approach this attack. No exploit exists.