VYPR
Medium severity5.3NVD Advisory· Published Apr 8, 2026· Updated Apr 20, 2026

CVE-2026-39412

CVE-2026-39412

Description

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
liquidjsnpm
< 10.25.410.25.4

Affected products

4

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.