CVE-2026-39412 - Medium Severity Vulnerability
Vulnerable Library - liquidjs-10.25.1.tgz
A simple, expressive and safe Shopify / Github Pages compatible template engine in pure JavaScript.
Library home page: https://registry.npmjs.org/liquidjs/-/liquidjs-10.25.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/liquidjs/package.json
Dependency Hierarchy:
- @exadel/esl-website-5.15.0.tgz (Root Library)
- eleventy-3.1.5.tgz
- ❌ liquidjs-10.25.1.tgz (Vulnerable Library)
Found in HEAD commit: 624af1e6ef611aeaaa9a0444ca492056b5b5353f
Found in base branch: main
Vulnerability Details
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Publish Date: 2026-04-08
URL: CVE-2026-39412
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-08
Fix Resolution: https://github.com/harttle/liquidjs.git - v10.25.4,liquidjs - 10.25.4,liquidjs - 10.25.4
Step up your Open Source Security Game with Mend here
CVE-2026-39412 - Medium Severity Vulnerability
A simple, expressive and safe Shopify / Github Pages compatible template engine in pure JavaScript.
Library home page: https://registry.npmjs.org/liquidjs/-/liquidjs-10.25.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/liquidjs/package.json
Dependency Hierarchy:
Found in HEAD commit: 624af1e6ef611aeaaa9a0444ca492056b5b5353f
Found in base branch: main
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Publish Date: 2026-04-08
URL: CVE-2026-39412
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-04-08
Fix Resolution: https://github.com/harttle/liquidjs.git - v10.25.4,liquidjs - 10.25.4,liquidjs - 10.25.4
Step up your Open Source Security Game with Mend here