Arbitrary Property Leak Vulnerability in LiquidJS Template Engine Affecting Shopify and GitHub Pages
CVE-2026-44646

5.3MEDIUM

Key Information:

Vendor

Harttle

Status
Liquidjs
Vendor
CVE Published:
17 June 2026

What is CVE-2026-44646?

The LiquidJS template engine, utilized within Shopify and GitHub Pages, contains a vulnerability where the Context.spawn() function fails to propagate the resolved ownPropertyOnly value from the parent context. As a result, there is a risk of leaking prototype-chain properties during the rendering of templates. Even if a developer attempts to restrict property exposure by setting the ownPropertyOnly option, the flaw can allow sensitive properties to persist in rendered output when using the {% render %} tag. This issue was addressed in version 10.26.0 of LiquidJS, securing the context management and ensuring proper property handling.

Affected Version(s)

liquidjs < 10.26.0

References

https://github.com/harttle/liquidjs/security/advisories/G...
x_refsource_CONFIRM
https://github.com/harttle/liquidjs/commit/dbbf6288030591...
x_refsource_MISC
https://github.com/harttle/liquidjs/releases/tag/v10.26.0
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.