CVE-2026-39859

LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read

Description

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.

INFO

Published Date :

2026-04-08T19:45:21.747Z

Last Modified :

2026-04-08T19:45:21.747Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39859 vulnerability.

Vendors	Products
Harttle	Liquidjs

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39859.

URL	Resource
https://github.com/harttle/liquidjs/security/advisories/GHSA-v273-448j-v4qj

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability