High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026
liquidjs has a path traversal fallback vulnerability
CVE-2026-30952
Description
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
liquidjsnpm | < 10.25.0 | 10.25.0 |
Affected products
3- osv-coords2 versions
< 9.3.1-r1+ 1 more
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 10.25.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-wmfp-5q7x-987xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30952ghsaADVISORY
- github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbacghsax_refsource_MISCWEB
- github.com/harttle/liquidjs/pull/851ghsax_refsource_MISCWEB
- github.com/harttle/liquidjs/pull/855ghsax_refsource_MISCWEB
- github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.