Template Engine Vulnerability in LiquidJS by Harttle
CVE-2026-39412

5.3MEDIUM

Key Information:

Vendor

Harttle

Status
Liquidjs
Vendor
CVE Published:
8 April 2026

What is CVE-2026-39412?

LiquidJS, a popular template engine compatible with Shopify and GitHub Pages, is susceptible to an issue where the sort_natural filter bypasses the ownPropertyOnly security option. This flaw potentially allows malicious template authors to exploit sorting side-channel attacks, thereby exposing sensitive prototype properties such as API keys and tokens. Applications that depend on the ownPropertyOnly setting for security, particularly in multi-tenant template environments, are at risk of unintended information disclosure. This vulnerability has been addressed in version 10.25.4.

Affected Version(s)

liquidjs < 10.25.4

References

https://github.com/harttle/liquidjs/security/advisories/G...
x_refsource_CONFIRM
https://github.com/harttle/liquidjs/pull/869
x_refsource_MISC
https://github.com/harttle/liquidjs/commit/e743da0020d34e...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.