VYPR
Vendor

Liquidjs

Products
2
CVEs
24
Across products
24
Status
Private

Products

2

Recent CVEs

24
View all 24 CVEs →
  • CVE-2026-45618criMay 27, 2026
    risk 0.52cvss epss 0.00

    ### Summary It is possible to execute arbitrary code with crafted templates ### Details `1|valueOf` -> `this` when evaluating the filter ```liquid {%assign r=1|valueOf%} {{r|inspect}} ``` ```json {"context":{"scopes":[{"r":"[Circular]"}],"re…

  • CVE-2026-45357higMay 27, 2026
    risk 0.45cvss epss 0.00

    ## Summary The `date` filter's strftime implementation parses width specifiers like `%9999999d` and forwards the captured width unchecked into `pad()`/`padStart()` in `src/util/underscore.ts`. The pad loop performs unbounded string concatenation without consulting the Context's…

  • CVE-2026-41311HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with…

  • CVE-2026-39859HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance…

  • CVE-2026-35525HigApr 8, 2026
    risk 0.42cvss 7.5epss 0.00

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is…

  • CVE-2026-45617higMay 27, 2026
    risk 0.38cvss epss 0.00

    ## Summary The built-in `strip_html` filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many `<script`, `<style`, or `<!--` opener tokens without matching closers, the V8 regex engine performs O(N²) backtracking, blocking the…

  • CVE-2026-39412MedApr 8, 2026
    risk 0.27cvss 5.3epss 0.00

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting…

  • CVE-2026-34166LowApr 8, 2026
    risk 0.17cvss 3.7epss 0.01

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to…

  • CVE-2021-43397Nov 11, 2021
    risk 0.01cvss epss 0.04

    LiquidFiles before 3.6.3 allows remote attackers to elevate their privileges from Admin (or User Admin) to Sysadmin.

  • CVE-2026-12673Jun 20, 2026
    risk 0.00cvss epss 0.00

    Liquidfiles versions before 4.2.12 are affected by a broken access control vulnerability resulting in privilege escalation from an Admin in a secondary domain to a Sysadmin by modifying a group in their managed secondary (non-default) group.

  • CVE-2026-44646May 27, 2026
    risk 0.00cvss epss 0.00

    ## Summary `Context.spawn()` in liquidjs creates a child `Context` for the `{% render %}` tag but does not propagate the parent context's resolved `ownPropertyOnly` value. The new context re-derives `ownPropertyOnly` from `opts.ownPropertyOnly` (the instance-level option),…

  • CVE-2026-44645May 27, 2026
    risk 0.00cvss epss 0.00

    ## Summary The `renderLimit` option — documented in `docs/source/tutorials/dos.md` as the mechanism that "mitigates this by limiting the time consumed by each render() call" — can be fully bypassed by a `{% for %}` (or `{% tablerow %}`) tag whose body is empty. The…

  • CVE-2026-44644May 27, 2026
    risk 0.00cvss epss 0.00

    ## Summary The `strip_html` filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (`<.*?>`) does not match line terminators, so any HTML tag containing a…

  • CVE-2026-33285Mar 26, 2026
    risk 0.00cvss epss 0.00

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate…

  • CVE-2026-33287Mar 26, 2026
    risk 0.00cvss epss 0.00

    LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only…

  • CVE-2026-30952Mar 10, 2026
    risk 0.00cvss epss 0.01

    liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials:…

  • CVE-2025-56132Sep 30, 2025
    risk 0.00cvss epss 0.01

    LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts.…

  • CVE-2025-46094Aug 4, 2025
    risk 0.00cvss epss 0.01

    LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript.

  • CVE-2025-46093Aug 4, 2025
    risk 0.00cvss epss 0.01

    LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration.

  • CVE-2023-4393Oct 29, 2023
    risk 0.00cvss epss 0.00

    HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization.