Memory Limitation Flaw in LiquidJS Affecting Shopify and GitHub Pages
CVE-2026-34166

3.7LOW

Key Information:

Vendor: Harttle
Status: Liquidjs
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-34166?

LiquidJS, a template engine compatible with Shopify and GitHub Pages, contains a flaw in its replace filter prior to version 10.25.3. This vulnerability miscalculates memory usage when the memoryLimit option is enabled, allowing an attacker to create input that results in a significantly larger output—up to 2,500 times. Consequently, an attacker controlling template content could bypass memory limit protections, leading to potential out-of-memory conditions and service disruptions. The issue has been resolved in the latest version.