CVE-2020-26284 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Arbitrary command execution
Description	A security issue was found in Hugo on the Windows platform before version 0.79.1. Hugo depends on Go's os/exec for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH% on Windows. However, if a malicious file with the same name (exe or bat) is found in the current working directory at the time of running hugo, the malicious command will be invoked instead of the system one.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1379	hugo	0.79.0-1		Medium	Not affected

References
https://github.com/gohugoio/hugo/security/advisories/GHSA-8j34-9876-pvfq https://github.com/golang/go/issues/38736 https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab