Denial of Service Vulnerability in Python Liquid Template Engine
CVE-2026-55865
7.1HIGH
What is CVE-2026-55865?
The Python Liquid template engine is susceptible to a significant issue where a malformed {% case %} tag, lacking an associated {% when %} or {% else %} block, combined with the absence of a terminating {% endcase %} tag, can lead to an infinite loop during parsing. This scenario arises because the liquid.TokenStream.eof method fails to provide the required EOF token matching fields. This vulnerability allows malicious users to craft templates that result in denial of service. This issue has been resolved in version 2.2.1.
Affected Version(s)
liquid < 2.2.1
