| CVE-2026-45618 |
critical |
— |
9.5 |
1d ago |
LiquidJS is Vulnerable to Remote Code Execution |
|
| CVE-2026-45617 |
high |
— |
8.0 |
1d ago |
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex |
|
| CVE-2026-45357 |
high |
— |
8.0 |
1d ago |
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime) |
|
| CVE-2026-41311 |
medium |
6.5 |
6.5 |
20d ago |
liquidjs has a Denial of Service via circular block reference in layout |
|
| CVE-2026-44646 |
medium |
— |
5.5 |
2d ago |
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()` |
|
| CVE-2026-44645 |
medium |
— |
5.5 |
2d ago |
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body |
|
| CVE-2026-44644 |
medium |
— |
5.5 |
2d ago |
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS |
|
| CVE-2026-39859 |
unknown |
— |
— |
2mo ago |
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read |
|
| CVE-2026-39412 |
unknown |
— |
— |
2mo ago |
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel |
|
| CVE-2026-35525 |
unknown |
— |
— |
2mo ago |
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates |
|
| CVE-2026-34166 |
unknown |
— |
— |
2mo ago |
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter |
|
| CVE-2026-33287 |
unknown |
— |
— |
2mo ago |
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern |
|
| CVE-2026-33285 |
unknown |
— |
— |
2mo ago |
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash |
|
| CVE-2026-30952 |
unknown |
— |
— |
3mo ago |
liquidjs has a path traversal fallback vulnerability |
|
| CVE-2022-25948 |
unknown |
— |
— |
4y ago |
liquidjs may leak properties of a prototype |
|