{"id":"CVE-2020-26284","details":"Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.","aliases":["GHSA-8j34-9876-pvfq"],"modified":"2026-04-12T00:37:49.992314Z","published":"2020-12-21T23:15:12.157Z","related":["CGA-2xm2-qwmg-9pwh","GHSA-8j34-9876-pvfq"],"references":[{"type":"FIX","url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq"},{"type":"FIX","url":"https://github.com/golang/go/issues/38736"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gohugoio/hugo","events":[{"introduced":"0"},{"fixed":"edb9248d588411962023f5560e14ebafd16c51cb"}],"database_specific":{"cpe":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.79.1"}],"source":"CPE_FIELD"}}],"versions":["v0.10","v0.11","v0.12","v0.13","v0.14","v0.15","v0.16","v0.17","v0.18","v0.19","v0.20","v0.20.1","v0.20.4","v0.21","v0.22","v0.22.1","v0.23","v0.24","v0.25","v0.25.1","v0.26","v0.27","v0.27.1","v0.28","v0.29","v0.30","v0.30.1","v0.30.2","v0.31","v0.31.1","v0.32","v0.32.1","v0.32.2","v0.32.3","v0.32.4","v0.33","v0.34","v0.35","v0.36","v0.37","v0.37.1","v0.38","v0.38.1","v0.38.2","v0.39","v0.40","v0.40.1","v0.40.2","v0.42.1","v0.43","v0.44","v0.45","v0.45.1","v0.46","v0.47","v0.47.1","v0.48","v0.49","v0.50","v0.51","v0.52","v0.53","v0.54.0","v0.55.0","v0.55.1","v0.55.2","v0.55.3","v0.55.4","v0.55.5","v0.56.0","v0.56.2","v0.56.3","v0.57.0","v0.57.1","v0.57.2","v0.58.0","v0.58.1","v0.58.2","v0.58.3","v0.59.0","v0.59.1","v0.60.0","v0.60.1","v0.61.0","v0.62.0","v0.62.1","v0.62.2","v0.63.0","v0.63.1","v0.63.2","v0.64.0","v0.64.1","v0.65.0","v0.65.1","v0.65.2","v0.65.3","v0.66.0","v0.67.0","v0.67.1","v0.68.0","v0.68.1","v0.68.2","v0.68.3","v0.69.0","v0.69.1","v0.69.2","v0.7","v0.70.0","v0.71.0","v0.71.1","v0.72.0","v0.74.0","v0.74.1","v0.74.2","v0.74.3","v0.75.0","v0.75.1","v0.76.0","v0.76.1","v0.76.2","v0.76.4","v0.77.0","v0.78.0","v0.78.1","v0.78.2","v0.79.0","v0.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-26284.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}