216.73.216.86

CVE-2026-30952

· Published 10/03/2026 21:16 · Modified 11/03/2026 13:52

Labels: CVE-2026-30952 2026-03-10CVE-2026-30952CWE-22[email protected]

Essential information

Published
10/03/2026 21:16
Modified
11/03/2026 13:52
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
liquidjs / liquidjs cpe:2.3:a:liquidjs:liquidjs:<10.25.0:*:*:*:*:*:*:*

References