GHSA-fw87-fv5r-9fpw

**Commit:** [f8b5fa09a6](https://github.com/gohugoio/hugo/commit/f8b5fa09a6) — _Fix prevention of direct symlink reads in resources.Get_ **Affected versions:** v0.123.0 through v0.161.1. Earlier versions are not affected. **Fixed in:** v0.162.0. **Severity:** Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under `themes/`. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via `resources.Get` followed symlinks.

**Description.** Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused `RootMappingFs.statRoot` to call `Stat` (which follows symlinks) instead of `Lstat`, so a direct `resources.Get "somefile"` where `somefile` was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running `hugo`.

**Mitigation.** v0.162.0 calls `LstatIfPossible` and rejects symlinked entries with `os.ErrNotExist`, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.