Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/373530?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/373530?format=api", "purl": "pkg:npm/liquidjs@10.25.4", "type": "npm", "namespace": "", "name": "liquidjs", "version": "10.25.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "10.26.0", "latest_non_vulnerable_version": "10.26.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81157?format=api", "vulnerability_id": "VCID-senw-hmwk-qqhj", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41311", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16196", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1632", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16338", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1635", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41311" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41311", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41311" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0", "reference_id": "e2311dfd6e82f73509308aa8a3a1fafc92e226f0", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:04:05Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0" }, { "reference_url": "https://github.com/advisories/GHSA-4rc3-7j7w-m548", "reference_id": "GHSA-4rc3-7j7w-m548", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4rc3-7j7w-m548" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548", "reference_id": "GHSA-4rc3-7j7w-m548", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:04:05Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7", "reference_id": "v10.25.7", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:04:05Z/" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41530?format=api", "purl": "pkg:npm/liquidjs@10.25.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rvg-m1s9-q7g8" }, { "vulnerability": "VCID-aeat-fxbf-xbed" }, { "vulnerability": "VCID-hsu4-rbg2-77g7" }, { "vulnerability": "VCID-z1u2-3tmy-pkd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.7" } ], "aliases": [ "CVE-2026-41311", "GHSA-4rc3-7j7w-m548" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-senw-hmwk-qqhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72918?format=api", "vulnerability_id": "VCID-wvp4-x1cb-63d7", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39859", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05987", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05996", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06002", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0601", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39859" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/f41c1fc02fe901598f3328118b42b13bc6bc9b04", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs/commit/f41c1fc02fe901598f3328118b42b13bc6bc9b04" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/870", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs/pull/870" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39859", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39859" }, { "reference_url": "https://github.com/advisories/GHSA-v273-448j-v4qj", "reference_id": "GHSA-v273-448j-v4qj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v273-448j-v4qj" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj", "reference_id": "GHSA-v273-448j-v4qj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:45:15Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373629?format=api", "purl": "pkg:npm/liquidjs@10.25.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-senw-hmwk-qqhj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.5" } ], "aliases": [ "CVE-2026-39859", "GHSA-v273-448j-v4qj" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wvp4-x1cb-63d7" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73033?format=api", "vulnerability_id": "VCID-mkcp-t1z2-j3em", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39412", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05639", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05649", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05664", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05657", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39412" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39412", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39412" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/869", "reference_id": "869", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/pull/869" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce", "reference_id": "e743da0020d34e2ee547e1cc1a86b58377ebe1ce", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce" }, { "reference_url": "https://github.com/advisories/GHSA-rv5g-f82m-qrvv", "reference_id": "GHSA-rv5g-f82m-qrvv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rv5g-f82m-qrvv" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv", "reference_id": "GHSA-rv5g-f82m-qrvv", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.4", "reference_id": "v10.25.4", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373530?format=api", "purl": "pkg:npm/liquidjs@10.25.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.4" } ], "aliases": [ "CVE-2026-39412", "GHSA-rv5g-f82m-qrvv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mkcp-t1z2-j3em" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.4" }