Vulnerability Description
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Liquidjs | Liquidjs | < 10.25.0 |
Related Weaknesses (CWE)
References
- https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adPatch
- https://github.com/harttle/liquidjs/pull/851Issue TrackingPatch
- https://github.com/harttle/liquidjs/pull/855Issue TrackingPatch
- https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987xMitigationPatchVendor Advisory
FAQ
What is CVE-2026-30952?
CVE-2026-30952 is a vulnerability with a CVSS score of 7.5 (HIGH). liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as str...
How severe is CVE-2026-30952?
CVE-2026-30952 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30952?
Check the references section above for vendor advisories and patch information. Affected products include: Liquidjs Liquidjs.