CRITICAL10.0CVE-2026-45618LiquidJS is Vulnerable to Remote Code Execution from 0, < 10.26.0
HIGH7.5CVE-2026-45617LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex from 0, < 10.26.0
HIGH7.5LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
from 0, <= 10.25.7
HIGH7.5liquidjs has a Denial of Service via circular block reference in layout
from 0, < 10.25.7
HIGH7.5LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
from 0, < 10.25.3
HIGH7.5LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
from 0, <= 10.24.0
HIGH7.5LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
from 0, <= 10.24.0
MEDIUM6.5LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
from 0, <= 10.25.7
MEDIUM6.1LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
from 0, <= 10.25.7
MEDIUM5.3LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
from 0, <= 10.25.7
MEDIUM5.3LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
from 0, < 10.25.4
MEDIUM5.3liquidjs may leak properties of a prototype
from 0, < 10.0.0
LOW3.7LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
from 0, < 10.25.3
—LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
from 0, < 10.25.5
—liquidjs has a path traversal fallback vulnerability
from 0, < 10.25.0