CVE-2026-30952
liquidjs has a path traversal fallback vulnerability
Description
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
INFO
Published Date :
March 10, 2026, 9:16 p.m.
Last Modified :
March 18, 2026, 7:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | HIGH | [email protected] |
Solution
- Update liquidjs to version 10.25.0 or later.
- Disable dynamicPartials if not strictly necessary.
- Sanitize user-controlled file paths.
- Restrict template content control.
Public PoC/Exploit Available at Github
CVE-2026-30952 has a 2 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-30952.
| URL | Resource |
|---|---|
| https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac | Patch |
| https://github.com/harttle/liquidjs/pull/851 | Issue Tracking Patch |
| https://github.com/harttle/liquidjs/pull/855 | Issue Tracking Patch |
| https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x | Mitigation Patch Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-30952 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-30952
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
PoC for CVE-2026-30952: Path Traversal vulnerability in liquidjs via absolute paths in layout, render, and include tags.
JavaScript
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-30952 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-30952 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Mar. 18, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Added CPE Configuration OR *cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:* versions up to (excluding) 10.25.0 Added Reference Type GitHub, Inc.: https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac Types: Patch Added Reference Type GitHub, Inc.: https://github.com/harttle/liquidjs/pull/851 Types: Issue Tracking, Patch Added Reference Type GitHub, Inc.: https://github.com/harttle/liquidjs/pull/855 Types: Issue Tracking, Patch Added Reference Type GitHub, Inc.: https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x Types: Mitigation, Patch, Vendor Advisory -
New CVE Received by [email protected]
Mar. 10, 2026
Action Type Old Value New Value Added Description liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-22 Added Reference https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac Added Reference https://github.com/harttle/liquidjs/pull/851 Added Reference https://github.com/harttle/liquidjs/pull/855 Added Reference https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x