High severity7.5NVD Advisory· Published May 9, 2026· Updated May 14, 2026
CVE-2026-41311
CVE-2026-41311
Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
liquidjsnpm | < 10.25.7 | 10.25.7 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kibana-9.4pkg:apk/chainguard/kibana-9.4-iamguardedpkg:npm/liquidjs
< 9.3.3-r6+ 4 more
- (no CPE)range: < 9.3.3-r6
- (no CPE)range: < 9.3.3-r6
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 9.4.2-r1
- (no CPE)range: < 10.25.7
Patches
Vulnerability mechanics
References
5- github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0nvdPatchWEB
- github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-4rc3-7j7w-m548ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41311ghsaADVISORY
- github.com/harttle/liquidjs/releases/tag/v10.25.7nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.