Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/603886?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/603886?format=api", "purl": "pkg:npm/liquidjs@8.2.1", "type": "npm", "namespace": "", "name": "liquidjs", "version": "8.2.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "10.26.0", "latest_non_vulnerable_version": "10.26.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66309?format=api", "vulnerability_id": "VCID-6fyz-rsdt-gbfc", "summary": "liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30952", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06196", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06186", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06207", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30952" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac", "reference_id": "3cd024d652dc883c46307581e979fe32302adbac", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:39:07Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/851", "reference_id": "851", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:39:07Z/" } ], "url": "https://github.com/harttle/liquidjs/pull/851" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/855", "reference_id": "855", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:39:07Z/" } ], "url": "https://github.com/harttle/liquidjs/pull/855" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30952", "reference_id": "CVE-2026-30952", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30952" }, { "reference_url": "https://github.com/advisories/GHSA-wmfp-5q7x-987x", "reference_id": "GHSA-wmfp-5q7x-987x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wmfp-5q7x-987x" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x", "reference_id": "GHSA-wmfp-5q7x-987x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-11T14:39:07Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40428?format=api", "purl": "pkg:npm/liquidjs@10.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-74jc-8x3v-9bhz" }, { "vulnerability": "VCID-gyfz-xw6u-97gz" }, { "vulnerability": "VCID-mkcp-t1z2-j3em" }, { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.0" } ], "aliases": [ "CVE-2026-30952", "GHSA-wmfp-5q7x-987x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6fyz-rsdt-gbfc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/75013?format=api", "vulnerability_id": "VCID-74jc-8x3v-9bhz", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34166", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06707", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06716", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06727", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34166" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34166", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34166" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25", "reference_id": "abc058be0f33d6372cd2216f4945183167abeb25", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:36:50Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25" }, { "reference_url": "https://github.com/advisories/GHSA-mmg9-6m6j-jqqx", "reference_id": "GHSA-mmg9-6m6j-jqqx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmg9-6m6j-jqqx" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx", "reference_id": "GHSA-mmg9-6m6j-jqqx", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:36:50Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.3", "reference_id": "v10.25.3", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:36:50Z/" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373982?format=api", "purl": "pkg:npm/liquidjs@10.25.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mkcp-t1z2-j3em" }, { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.3" } ], "aliases": [ "CVE-2026-34166", "GHSA-mmg9-6m6j-jqqx" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-74jc-8x3v-9bhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71850?format=api", "vulnerability_id": "VCID-gyfz-xw6u-97gz", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based. Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target. So the restriction is applied to the path string that was requested, not to the file that is actually read. This matters in environments where an attacker can place templates or otherwise influence files under a trusted template root, including uploaded themes, extracted archives, mounted content, or repository-controlled template trees. This vulnerability is fixed in 10.25.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35525", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22482", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22691", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22678", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35525" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35525", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35525" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/867", "reference_id": "867", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T19:52:53Z/" } ], "url": "https://github.com/harttle/liquidjs/pull/867" }, { "reference_url": "https://github.com/advisories/GHSA-56p5-8mhr-2fph", "reference_id": "GHSA-56p5-8mhr-2fph", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-56p5-8mhr-2fph" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph", "reference_id": "GHSA-56p5-8mhr-2fph", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T19:52:53Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.3", "reference_id": "v10.25.3", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T19:52:53Z/" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373982?format=api", "purl": "pkg:npm/liquidjs@10.25.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-mkcp-t1z2-j3em" }, { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.3" } ], "aliases": [ "CVE-2026-35525", "GHSA-56p5-8mhr-2fph" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gyfz-xw6u-97gz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78219?format=api", "vulnerability_id": "VCID-h7rs-7c34-9fb4", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's `memoryLimit` security mechanism can be completely bypassed by using reverse range expressions (e.g., `(100000000..1)`), allowing an attacker to allocate unlimited memory. Combined with a string flattening operation (e.g., `replace` filter), this causes a V8 Fatal error that crashes the Node.js process, resulting in complete denial of service from a single HTTP request. Version 10.25.1 patches the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33285", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00122", "scoring_system": "epss", "scoring_elements": "0.30848", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00122", "scoring_system": "epss", "scoring_elements": "0.3106", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00122", "scoring_system": "epss", "scoring_elements": "0.31045", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33285" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33285", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33285" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578", "reference_id": "95ddefc056a11a44d9e753fd47a39db2c241e578", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-28T02:06:55Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/95ddefc056a11a44d9e753fd47a39db2c241e578" }, { "reference_url": "https://github.com/advisories/GHSA-9r5m-9576-7f6x", "reference_id": "GHSA-9r5m-9576-7f6x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9r5m-9576-7f6x" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x", "reference_id": "GHSA-9r5m-9576-7f6x", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-28T02:06:55Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-9r5m-9576-7f6x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40428?format=api", "purl": "pkg:npm/liquidjs@10.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-74jc-8x3v-9bhz" }, { "vulnerability": "VCID-gyfz-xw6u-97gz" }, { "vulnerability": "VCID-mkcp-t1z2-j3em" }, { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.0" } ], "aliases": [ "CVE-2026-33285", "GHSA-9r5m-9576-7f6x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h7rs-7c34-9fb4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/163411?format=api", "vulnerability_id": "VCID-hz6c-xzhn-43ez", "summary": "The package liquidjs before 10.0.0 are vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25948", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56377", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.5651", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0033", "scoring_system": "epss", "scoring_elements": "0.56495", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-25948" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25948", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25948" }, { "reference_url": "https://github.com/harttle/liquidjs/issues/454", "reference_id": "454", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-14T18:09:22Z/" } ], "url": "https://github.com/harttle/liquidjs/issues/454" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/7e99efc5131e20cf3f59e1fc2c371a15aa4109db", "reference_id": "7e99efc5131e20cf3f59e1fc2c371a15aa4109db", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-14T18:09:22Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/7e99efc5131e20cf3f59e1fc2c371a15aa4109db" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/7eb621601c2b05d6e379e5ce42219f2b1f556208", "reference_id": "7eb621601c2b05d6e379e5ce42219f2b1f556208", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-14T18:09:22Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/7eb621601c2b05d6e379e5ce42219f2b1f556208" }, { "reference_url": "https://github.com/advisories/GHSA-45rm-2893-5f49", "reference_id": "GHSA-45rm-2893-5f49", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-45rm-2893-5f49" }, { "reference_url": "https://groups.google.com/u/0/a/snyk.io/g/report/c/9ipXecWRtTM/m/IgLadevtCQAJ", "reference_id": "IgLadevtCQAJ", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-14T18:09:22Z/" } ], "url": "https://groups.google.com/u/0/a/snyk.io/g/report/c/9ipXecWRtTM/m/IgLadevtCQAJ" }, { "reference_url": "https://security.snyk.io/vuln/SNYK-JS-LIQUIDJS-2952868", "reference_id": "SNYK-JS-LIQUIDJS-2952868", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-14T18:09:22Z/" } ], "url": "https://security.snyk.io/vuln/SNYK-JS-LIQUIDJS-2952868" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/383945?format=api", "purl": "pkg:npm/liquidjs@10.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6fyz-rsdt-gbfc" }, { "vulnerability": "VCID-74jc-8x3v-9bhz" }, { "vulnerability": "VCID-gyfz-xw6u-97gz" }, { "vulnerability": "VCID-h7rs-7c34-9fb4" }, { "vulnerability": "VCID-mkcp-t1z2-j3em" }, { "vulnerability": "VCID-q11p-q5e6-ufbg" }, { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.0.0" } ], "aliases": [ "CVE-2022-25948", "GHSA-45rm-2893-5f49" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hz6c-xzhn-43ez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/73033?format=api", "vulnerability_id": "VCID-mkcp-t1z2-j3em", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39412", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05639", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05657", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05664", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39412" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39412", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39412" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/869", "reference_id": "869", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/pull/869" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce", "reference_id": "e743da0020d34e2ee547e1cc1a86b58377ebe1ce", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce" }, { "reference_url": "https://github.com/advisories/GHSA-rv5g-f82m-qrvv", "reference_id": "GHSA-rv5g-f82m-qrvv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rv5g-f82m-qrvv" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv", "reference_id": "GHSA-rv5g-f82m-qrvv", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.4", "reference_id": "v10.25.4", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T13:53:22Z/" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373530?format=api", "purl": "pkg:npm/liquidjs@10.25.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.4" } ], "aliases": [ "CVE-2026-39412", "GHSA-rv5g-f82m-qrvv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mkcp-t1z2-j3em" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/78032?format=api", "vulnerability_id": "VCID-q11p-q5e6-ufbg", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, the `replace_first` filter in LiquidJS uses JavaScript's `String.prototype.replace()` which interprets `$&` as a back reference to the matched substring. The filter only charges `memoryLimit` for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the `memoryLimit` budget, leading to denial of service. Version 10.25.1 patches the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33287", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11998", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12093", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12091", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33287" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33287", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33287" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d", "reference_id": "35d523026345d80458df24c72e653db78b5d061d", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T14:13:05Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/35d523026345d80458df24c72e653db78b5d061d" }, { "reference_url": "https://github.com/advisories/GHSA-6q5m-63h6-5x4v", "reference_id": "GHSA-6q5m-63h6-5x4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6q5m-63h6-5x4v" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v", "reference_id": "GHSA-6q5m-63h6-5x4v", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-26T14:13:05Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-6q5m-63h6-5x4v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40428?format=api", "purl": "pkg:npm/liquidjs@10.25.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-74jc-8x3v-9bhz" }, { "vulnerability": "VCID-gyfz-xw6u-97gz" }, { "vulnerability": "VCID-mkcp-t1z2-j3em" }, { "vulnerability": "VCID-senw-hmwk-qqhj" }, { "vulnerability": "VCID-wvp4-x1cb-63d7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.0" } ], "aliases": [ "CVE-2026-33287", "GHSA-6q5m-63h6-5x4v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q11p-q5e6-ufbg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/81157?format=api", "vulnerability_id": "VCID-senw-hmwk-qqhj", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41311", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16196", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1635", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16338", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-41311" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41311", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41311" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0", "reference_id": "e2311dfd6e82f73509308aa8a3a1fafc92e226f0", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:04:05Z/" } ], "url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0" }, { "reference_url": "https://github.com/advisories/GHSA-4rc3-7j7w-m548", "reference_id": "GHSA-4rc3-7j7w-m548", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4rc3-7j7w-m548" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548", "reference_id": "GHSA-4rc3-7j7w-m548", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:04:05Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7", "reference_id": "v10.25.7", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T15:04:05Z/" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41530?format=api", "purl": "pkg:npm/liquidjs@10.25.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rvg-m1s9-q7g8" }, { "vulnerability": "VCID-aeat-fxbf-xbed" }, { "vulnerability": "VCID-hsu4-rbg2-77g7" }, { "vulnerability": "VCID-z1u2-3tmy-pkd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.7" } ], "aliases": [ "CVE-2026-41311", "GHSA-4rc3-7j7w-m548" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-senw-hmwk-qqhj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/72918?format=api", "vulnerability_id": "VCID-wvp4-x1cb-63d7", "summary": "LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39859", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.06002", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0601", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05987", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-39859" }, { "reference_url": "https://github.com/harttle/liquidjs", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs" }, { "reference_url": "https://github.com/harttle/liquidjs/commit/f41c1fc02fe901598f3328118b42b13bc6bc9b04", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs/commit/f41c1fc02fe901598f3328118b42b13bc6bc9b04" }, { "reference_url": "https://github.com/harttle/liquidjs/pull/870", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs/pull/870" }, { "reference_url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/harttle/liquidjs/releases/tag/v10.25.5" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39859", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39859" }, { "reference_url": "https://github.com/advisories/GHSA-v273-448j-v4qj", "reference_id": "GHSA-v273-448j-v4qj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v273-448j-v4qj" }, { "reference_url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj", "reference_id": "GHSA-v273-448j-v4qj", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T20:45:15Z/" } ], "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373629?format=api", "purl": "pkg:npm/liquidjs@10.25.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-senw-hmwk-qqhj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@10.25.5" } ], "aliases": [ "CVE-2026-39859", "GHSA-v273-448j-v4qj" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wvp4-x1cb-63d7" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/liquidjs@8.2.1" }