Denial of Service Vulnerability in LiquidJS Template Engine
CVE-2026-44645

6.5MEDIUM

Key Information:

Vendor

Harttle

Status
Liquidjs
Vendor
CVE Published:
17 June 2026

What is CVE-2026-44645?

The LiquidJS template engine, compatible with Shopify and GitHub Pages, has a vulnerability where the renderLimit option can be bypassed through an empty body {% for %} or {% tablerow %} tag. In versions 10.25.7 and earlier, this allows attackers to exploit the lack of iteration time checks, causing the server's event loop to be monopolized by a crafted template. This issue can lead to a denial of service, stalling service requests and impacting availability in environments that rely on renderLimit for protection. The vulnerability has been resolved in version 10.26.0.

Affected Version(s)

liquidjs < 10.26.0

References

https://github.com/harttle/liquidjs/security/advisories/G...
x_refsource_CONFIRM
https://github.com/harttle/liquidjs/commit/5b9c3469085e01...
x_refsource_MISC
https://github.com/harttle/liquidjs/releases/tag/v10.26.0
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.