CVE-2020-26284

Name of the Vulnerable Software and Affected Versions Hugo versions prior to 0.79.1

Description Hugo is a fast and Flexible Static Site Generator built in Go. It depends on Go's os/exec for certain features, such as rendering of Pandoc documents if these binaries are found in the system %PATH% on Windows. If a malicious file with the same name (exe or bat) is found in the current working directory at the time of running hugo, the malicious command will be invoked instead of the system one. Windows users who run hugo inside untrusted Hugo sites are affected.

Recommendations For Hugo versions prior to 0.79.1, upgrade to Hugo v0.79.1 to resolve the issue. As a temporary workaround, consider avoiding untrusted Hugo sites until the issue is resolved.