HIGHCVE-2026-39859Published 2026-04-08Modified 2026-04-10CNA GitHub_M

CVE-2026-39859: LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

harttle / liquidjs
< 10.25.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj

Metrics