Arbitrary File Access Vulnerability in LiquidJS Template Engine

CVE-2026-30952

What is CVE-2026-30952?

LiquidJS is a versatile template engine that is primarily compatible with Shopify and GitHub Pages, designed to simplify the rendering of dynamic content. However, prior to version 10.25.0, it contained a vulnerability that allowed malicious users to exploit the layout, render, and include tags. This flaw permitted access to arbitrary files through the use of absolute paths, either as hardcoded strings or via user-controlled Liquid variables - provided that dynamicPartials was enabled, which was the default setting. Such access poses a significant risk if unauthorized individuals are able to manipulate template content or specify arbitrary file paths. The issue has been addressed in the 10.25.0 release, highlighting the importance of updating to safeguard against potential exploits.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References