VYPR
High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

liquidjs has a path traversal fallback vulnerability

CVE-2026-30952

Description

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
liquidjsnpm
< 10.25.010.25.0

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.