Path Traversal in Harttle Liquidjs

CVE-2026-39859

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (6.0th percentile) — read the EPSS interpretation.

Affected products

Harttle Liquidjs — versions < 10.25.3

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj (x_refsource_CONFIRM)