How severe is CVE-2020-26284?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.5 out of 10.

What type of vulnerability is CVE-2020-26284?

This is classified as CWE-78, which is a common weakness in software security.

CVE-2020-26284 - HIGH Severity | CVSS 8.5

Vulnerability Description

Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.

Related Vulnerabilities

CVE-2025-24022

HIGH

CVSS:8.5(High)

iTop is an web based IT Service Management tool. Prior to versions 2.7.12, 3.1.3, and 3.2.1, server code execution is possible through the frontend of iTop's portal. This is fixed in versions 2.7.12, ...

CWE-782025

CVE-2017-6970

HIGH

CVSS:8.4(High)

AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow local users to execute arbitrary commands in a privileged context via an NfSen socket, aka AlienVault ID ENG-104863.

CWE-782017

CVE-2019-12735

HIGH

CVSS:8.6(High)

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_...

CWE-782019

CVE-2019-13139

HIGH

CVSS:8.4(High)

In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "doc...

CWE-782019

CVE-2019-4294

HIGH

CVSS:8.4(High)

IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.6, 7.6.0.0 through 7.6.0.15 and IBM MQ Appliance 8.0.0.0 through 8.0.0.12, 9.1.0.0 through 9.1.0.2, and 9.1.1 through 9.1.2 could allow a local attack...

CWE-782019

CVE-2019-5736

HIGH

CVSS:8.6(High)

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to ex...

CWE-782019