What is CVE-2026-30952?

CVE-2026-30952 is a vulnerability in Harttle Liquidjs, classified under Path Traversal. Published 2026-03-10.

Is CVE-2026-30952 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Harttle Liquidjs

CVE-2026-30952

liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variable…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (6.2th percentile) — read the EPSS interpretation.

Affected products

Harttle Liquidjs — versions < 10.25.0

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

MorielHarush/CVE-2026-30952-PoC

References

https://github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x (x_refsource_CONFIRM)
https://github.com/harttle/liquidjs/pull/851 (x_refsource_MISC)
https://github.com/harttle/liquidjs/pull/855 (x_refsource_MISC)
https://github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-30952?: CVE-2026-30952 is a vulnerability in Harttle Liquidjs, classified under Path Traversal. Published 2026-03-10.
Is CVE-2026-30952 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.