CVE-2026-30952

HIGH EPSS 42.2%
Published Mar 10, 20263mo ago · Modified Mar 18, 20263mo ago
8.7 CVSS 4.0
High
Find Similar
Published Mar 10, 2026 3mo ago
Last Modified Mar 18, 2026 3mo ago

Description

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
42.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
liquidjsliquidjs* <10.25.0

References 4

  • github.com https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac
    Patch
  • github.com https://github.com/harttle/liquidjs/pull/851
    Issue TrackingPatch
  • github.com https://github.com/harttle/liquidjs/pull/855
    Issue TrackingPatch
  • github.com https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac
    Patch
  • github.com https://github.com/harttle/liquidjs/pull/851
    Issue TrackingPatch
  • github.com https://github.com/harttle/liquidjs/pull/855
    Issue TrackingPatch
  • github.com https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x
    MitigationPatchVendor Advisory