{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T01:48:59.004","vulnerabilities":[{"cve":{"id":"CVE-2020-26284","sourceIdentifier":"security-advisories@github.com","published":"2020-12-21T23:15:12.157","lastModified":"2024-11-21T05:19:45.430","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround."},{"lang":"es","value":"Hugo es un generador de sitios estáticos rápido y flexible integrado en Go. Hugo depende del \"os/exec\" de Go para determinadas funcionalidades por ejemplo, para la representación de documentos Pandoc si estos binarios se encuentran en el sistema \"%PATH%\" en Windows. En Hugo anterior a versión 0.79.1, si un archivo malicioso con el mismo nombre (\"exe\" o \"bat\") se encuentra en el directorio de trabajo actual en el momento de ejecutar \"hugo\", el comando malicioso será invocado en lugar del sistema. Los usuarios de Windows que ejecutan \"hugo\" dentro de sitios de Hugo no confiables están afectados. Los usuarios deben actualizar a Hugo versión v0.79.1. Aparte de evitar los sitios de Hugo que no confiables, no existe una solución alternativa"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.3,"impactScore":5.8},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":6.0}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:C/I:C/A:C","baseScore":8.5,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE"},"baseSeverity":"HIGH","exploitabilityScore":6.8,"impactScore":10.0,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:windows:*:*","versionEndExcluding":"0.79.1","matchCriteriaId":"E9F3B098-63C6-44CD-A08B-876C6CBC8BDF"}]}]}],"references":[{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/golang/go/issues/38736","source":"security-advisories@github.com","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/golang/go/issues/38736","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory"]}]}}]}