Vulnerability in Harttle Liquidjs

CVE-2026-35525

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layout…

EPSS: 0.001 (22.5th percentile) — read the EPSS interpretation.

Affected products

Harttle Liquidjs — versions < 10.25.3

Weakness classification (CWE)

CWE-61 — UNIX Symbolic Link (Symlink) Following

References

https://github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph (x_refsource_CONFIRM)
https://github.com/harttle/liquidjs/pull/867 (x_refsource_MISC)
https://github.com/harttle/liquidjs/releases/tag/v10.25.3 (x_refsource_MISC)