CVE-2026-30952
HIGH EPSS 42.2%
Published Mar 10, 20263mo ago · Modified Mar 18, 20263mo ago
8.7 CVSS 4.0
Published Mar 10, 2026 3mo ago
Last Modified Mar 18, 2026 3mo ago
Description
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
42.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| liquidjs | liquidjs | * | <10.25.0 |
References 4
- github.com https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac
- github.com https://github.com/harttle/liquidjs/pull/851
- github.com https://github.com/harttle/liquidjs/pull/855
- github.com https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x
Remediation
- github.com https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac
- github.com https://github.com/harttle/liquidjs/pull/851
- github.com https://github.com/harttle/liquidjs/pull/855
- github.com https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x