Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 20, 2026
CVE-2026-39412
CVE-2026-39412
Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
liquidjsnpm | < 10.25.4 | 10.25.4 |
Affected products
4- osv-coords3 versions
< 9.3.3-r0+ 2 more
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 10.25.4
Patches
Vulnerability mechanics
References
6- github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1cenvdPatchWEB
- github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvvnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-rv5g-f82m-qrvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-39412ghsaADVISORY
- github.com/harttle/liquidjs/pull/869nvdIssue TrackingProductWEB
- github.com/harttle/liquidjs/releases/tag/v10.25.4nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.