CVE-2026-45017
HIGHPython Liquid: Absolute paths escape filesystem loader search path
Title source: cnaDescription
Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/jg-rp/liquid/security/advisories/GHSA-8p4x-wr7x-3788
Scores
CVSS v3
7.5
EPSS
0.0034
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (3)
jg-rp/liquid
< 2.2.0
jg-rp/python_liquid
< 2.2.0
pypi/python-liquid
0 - 2.2.0PyPI
Published
May 28, 2026
Tracked Since
May 28, 2026