CVE-2026-44301

Name of the Vulnerable Software and Affected Versions Hugo versions prior to 0.161.0

Description When building a site that utilizes Node-based asset pipelines such as PostCSS, Babel, or TailwindCSS, the software invokes configured Node tools without restrictions on file system access. This allows code executed through these tools to read or write files outside the project's working directory when processing an untrusted site.

Recommendations Update to version 0.161.0 or later. As a temporary workaround, block the affected tools in the security.exec.allow configuration.