Liquidjs

Liquidjs

8 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-39859

  • EPSS 0.05%
  • Veröffentlicht 08.04.2026 19:45:21
  • Zuletzt bearbeitet 10.04.2026 21:18:42

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that bound...

7.5

CVE-2026-39412

Exploit
  • EPSS 0.03%
  • Veröffentlicht 08.04.2026 19:39:17
  • Zuletzt bearbeitet 20.04.2026 14:53:53

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties ...

7.5

CVE-2026-35525

Exploit
  • EPSS 0.04%
  • Veröffentlicht 08.04.2026 19:30:24
  • Zuletzt bearbeitet 10.04.2026 21:19:03

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots bef...

5.3

CVE-2026-34166

Exploit
  • EPSS 0.04%
  • Veröffentlicht 08.04.2026 17:52:05
  • Zuletzt bearbeitet 10.04.2026 21:19:24

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length ...

7.5

CVE-2026-33285

Exploit
  • EPSS 0.1%
  • Veröffentlicht 26.03.2026 00:34:25
  • Zuletzt bearbeitet 30.03.2026 16:46:19

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing...

7.5

CVE-2026-33287

Exploit
  • EPSS 0.1%
  • Veröffentlicht 26.03.2026 00:33:20
  • Zuletzt bearbeitet 30.03.2026 16:46:03

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the match...

7.5

CVE-2026-30952

  • EPSS 0.02%
  • Veröffentlicht 10.03.2026 20:25:20
  • Zuletzt bearbeitet 18.03.2026 19:16:25

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latt...

5.3

CVE-2022-25948

Exploit
  • EPSS 0.33%
  • Veröffentlicht 22.12.2022 05:15:10
  • Zuletzt bearbeitet 14.04.2025 18:15:19

The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functio...