XSS Vulnerability in LiquidJS Template Engine Affecting Shopify and GitHub Pages
CVE-2026-44644

6.1MEDIUM

Key Information:

Vendor

Harttle

Status
Liquidjs
Vendor
CVE Published:
17 June 2026

What is CVE-2026-44644?

LiquidJS, a template engine for Shopify and GitHub Pages, is susceptible to an XSS vulnerability due to a flaw in the strip_html filter logic. This filter, intended to sanitize HTML tags, incorrectly utilizes a regex that fails to account for line terminators. As a result, HTML tags with embedded newlines can bypass sanitization, allowing attackers to inject malicious scripts. For instance, an image tag with a newline can execute an onerror handler, leading to unauthorized code execution. This vulnerability affects applications that rely on the strip_html filter for sanitization without applying additional HTML escaping, which is left unset by default. The vulnerability has been addressed in version 10.26.0.

Affected Version(s)

liquidjs < 10.26.0

References

https://github.com/harttle/liquidjs/security/advisories/G...
x_refsource_CONFIRM
https://github.com/harttle/liquidjs/commit/26ea2856c7a90a...
x_refsource_MISC
https://github.com/harttle/liquidjs/releases/tag/v10.26.0
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.