CVE-2026-30952
Published: 10 March 2026
Summary
CVE-2026-30952 is a high-severity Path Traversal (CWE-22) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-30952 is a path traversal vulnerability (CWE-22) in liquidjs, a Shopify- and GitHub Pages-compatible template engine implemented in pure JavaScript. Versions prior to 10.25.0 allow arbitrary file access through the layout, render, and include tags when absolute paths are specified, either as string literals or via Liquid variables. The latter requires the dynamicPartials option to be enabled, which is the default setting. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication or user interaction.
Attackers can exploit this vulnerability in scenarios where untrusted users control template content or provide filepath inputs as Liquid variables. Remote, unauthenticated attackers gain read access to arbitrary files on the server by crafting malicious templates or variables with absolute paths, potentially exposing sensitive data such as configuration files, source code, or user information depending on the application's file system permissions and deployment context.
The vulnerability is addressed in liquidjs version 10.25.0, where the relevant changes prevent absolute path traversal in the affected tags. Security practitioners should upgrade to 10.25.0 or later and review applications using liquidjs for user-controlled template rendering, disabling dynamicPartials if feasible. Official details are available in the GitHub security advisory (GHSA-wmfp-5q7x-987x) and related pull requests (#851, #855) with the fixing commit (3cd024d652dc883c46307581e979fe32302adbac).
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10872
Vulnerability details
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require…
more
dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing template engine directly enables remote file read (T1005) including credential files (T1552.001) via T1190 exploitation of internet-facing apps.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the path traversal flaw in liquidjs versions prior to 10.25.0 by upgrading prevents arbitrary file access through layout, render, and include tags.
Validating user-controlled inputs for Liquid variables and template content blocks absolute paths and traversal sequences, directly countering the CWE-22 vulnerability.
Secure configuration settings disable dynamicPartials or restrict partial paths to authorized locations, eliminating the default condition enabling variable-based file access.