Denial of Service Vulnerability in Python Liquid Template Engine
CVE-2026-55865

7.1HIGH

Key Information:

Vendor

Jg-rp

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-55865?

The Python Liquid template engine is susceptible to a significant issue where a malformed {% case %} tag, lacking an associated {% when %} or {% else %} block, combined with the absence of a terminating {% endcase %} tag, can lead to an infinite loop during parsing. This scenario arises because the liquid.TokenStream.eof method fails to provide the required EOF token matching fields. This vulnerability allows malicious users to craft templates that result in denial of service. This issue has been resolved in version 2.2.1.

Affected Version(s)

liquid < 2.2.1

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.