High severity7.5NVD Advisory· Published Apr 8, 2026· Updated Apr 10, 2026
CVE-2026-39859
CVE-2026-39859
Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
liquidjsnpm | < 10.25.5 | 10.25.5 |
Affected products
4- osv-coords3 versions
< 9.3.3-r0+ 2 more
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 9.3.3-r0
- (no CPE)range: < 10.25.5
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-v273-448j-v4qjghsaADVISORY
- github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qjnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39859ghsaADVISORY
- github.com/harttle/liquidjs/commit/f41c1fc02fe901598f3328118b42b13bc6bc9b04ghsaWEB
- github.com/harttle/liquidjs/pull/870ghsaWEB
- github.com/harttle/liquidjs/releases/tag/v10.25.5ghsaWEB
News mentions
0No linked articles in our index yet.