CVE-2026-30952
Published: 10 March 2026
Summary
CVE-2026-30952 is a high-severity Path Traversal (CWE-22) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing template engine directly enables remote file read (T1005) including credential files (T1552.001) via T1190 exploitation of internet-facing apps.
NVD Description
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require…
more
dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
Deeper analysisAI
CVE-2026-30952 is a path traversal vulnerability (CWE-22) in liquidjs, a Shopify- and GitHub Pages-compatible template engine implemented in pure JavaScript. Versions prior to 10.25.0 allow arbitrary file access through the layout, render, and include tags when absolute paths are specified, either as string literals or via Liquid variables. The latter requires the dynamicPartials option to be enabled, which is the default setting. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for authentication or user interaction.
Attackers can exploit this vulnerability in scenarios where untrusted users control template content or provide filepath inputs as Liquid variables. Remote, unauthenticated attackers gain read access to arbitrary files on the server by crafting malicious templates or variables with absolute paths, potentially exposing sensitive data such as configuration files, source code, or user information depending on the application's file system permissions and deployment context.
The vulnerability is addressed in liquidjs version 10.25.0, where the relevant changes prevent absolute path traversal in the affected tags. Security practitioners should upgrade to 10.25.0 or later and review applications using liquidjs for user-controlled template rendering, disabling dynamicPartials if feasible. Official details are available in the GitHub security advisory (GHSA-wmfp-5q7x-987x) and related pull requests (#851, #855) with the fixing commit (3cd024d652dc883c46307581e979fe32302adbac).
Details
- CWE(s)