MEDIUM 6.1 npm
GHSA-2qv6-9wx5-cwv4 · CVE-2026-44644 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
Modified: 5/27/2026
package
npm / liquidjs
pkg:npm/liquidjs
MEDIUM 5.3 npm
GHSA-45rm-2893-5f49 · CVE-2022-25948 liquidjs may leak properties of a prototype
Modified: 4/14/2025
HIGH 7.5 npm
GHSA-4rc3-7j7w-m548 · CVE-2026-41311 liquidjs has a Denial of Service via circular block reference in layout
Modified: 5/13/2026
HIGH 7.5 npm
GHSA-56p5-8mhr-2fph · CVE-2026-35525 LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
Modified: 4/10/2026
HIGH 7.5 npm
GHSA-6q5m-63h6-5x4v · CVE-2026-33287 LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
Modified: 3/30/2026
MEDIUM 6.5 npm
GHSA-8xx9-69p8-7jp3 · CVE-2026-44645 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Modified: 5/27/2026
HIGH 7.5 npm
GHSA-9r5m-9576-7f6x · CVE-2026-33285 LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
Modified: 3/30/2026
MEDIUM 5.3 npm
GHSA-9x9p-qf8f-mvjg · CVE-2026-44646 LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
Modified: 5/27/2026
LOW 3.7 npm
GHSA-mmg9-6m6j-jqqx · CVE-2026-34166 LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
Modified: 4/10/2026
MEDIUM 5.3 npm
GHSA-rv5g-f82m-qrvv · CVE-2026-39412 LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
Modified: 4/10/2026
MEDIUM npm
GHSA-v273-448j-v4qj · CVE-2026-39859 LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
Modified: 4/10/2026
HIGH npm
GHSA-wmfp-5q7x-987x · CVE-2026-30952 liquidjs has a path traversal fallback vulnerability
Modified: 3/17/2026