pkg:npm/liquidjs

All known vulnerabilities

• CRITICAL10.0CVE-2026-45618LiquidJS is Vulnerable to Remote Code Execution
  from 0, < 10.26.0
• HIGH7.5CVE-2026-45617LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
  from 0, < 10.26.0
• HIGH7.5CVE-2026-45357LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
  from 0, <= 10.25.7
• HIGH7.5CVE-2026-41311liquidjs has a Denial of Service via circular block reference in layout
  from 0, < 10.25.7
• HIGH7.5CVE-2026-35525LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
  from 0, < 10.25.3
• HIGH7.5CVE-2026-33287LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
  from 0, <= 10.24.0
• HIGH7.5CVE-2026-33285LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
  from 0, <= 10.24.0
• MEDIUM6.5CVE-2026-44645LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
  from 0, <= 10.25.7
• MEDIUM6.1CVE-2026-44644LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
  from 0, <= 10.25.7
• MEDIUM5.3CVE-2026-44646LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
  from 0, <= 10.25.7
• MEDIUM5.3CVE-2026-39412LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
  from 0, < 10.25.4
• MEDIUM5.3CVE-2022-25948liquidjs may leak properties of a prototype
  from 0, < 10.0.0
• LOW3.7CVE-2026-34166LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
  from 0, < 10.25.3
• —CVE-2026-39859LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
  from 0, < 10.25.5
• —CVE-2026-30952liquidjs has a path traversal fallback vulnerability
  from 0, < 10.25.0