CVE-2026-39859

HIGH

LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read

Title source: cna
STIX 2.1

Description

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.

References (1)

Scores

CVSS v3 7.5
EPSS 0.0002
EPSS Percentile 5.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (3)
harttle/liquidjs < 10.25.3
liquidjs/liquidjs < 10.25.3
npm/liquidjs 0 - 10.25.5npm
Published Apr 08, 2026
Tracked Since Apr 09, 2026