7.5

CVE-2026-39412

Exploit

EPSS 0.03%
Veröffentlicht 08.04.2026 19:39:17
Zuletzt bearbeitet 20.04.2026 14:53:53
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Liquidjs ≫ Liquidjs SwPlatformnode.js Version < 10.25.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.083

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv

Vendor Advisory

Exploit

https://github.com/harttle/liquidjs/pull/869

Product

Issue Tracking

https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce

Patch

https://github.com/harttle/liquidjs/releases/tag/v10.25.4

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-39412

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39412

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39412

EUVD