Template Engine Vulnerability in LiquidJS for Shopify and GitHub Pages
CVE-2026-39859

6.3MEDIUM

Key Information:

Vendor: Harttle
Status: Liquidjs
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-39859?

LiquidJS, a template engine compatible with Shopify and GitHub Pages, contains a vulnerability in versions prior to 10.25.3. The issue arises due to insufficient constraints on filenames when using functions such as renderFile() and parseFile(). Specifically, while documents root is properly enforced under normal operations, top-level file loads can bypass this restriction, allowing an attacker to access arbitrary files. This flaw can be exploited if a Liquid instance is configured with an empty temporary directory as the root directory. Consequently, unauthorized file content can be returned, potentially leading to sensitive information disclosure. Users should upgrade to LiquidJS version 10.25.3 or later to mitigate this risk.

Affected Version(s)

liquidjs < 10.25.3

References

https://github.com/harttle/liquidjs/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39859 Data

JSON

Harttle

What is CVE-2026-39859?

Affected Version(s)

References

CVSS V4

Timeline