CVE-2026-39412
Published: 08 April 2026
Summary
CVE-2026-39412 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in the sort_natural filter by requiring timely patching to LiquidJS version 10.25.4 or later, preventing the prototype property disclosure.
Vulnerability scanning identifies systems running vulnerable LiquidJS versions prior to 10.25.4 affected by this information disclosure CVE.
Validates and sanitizes untrusted template inputs in multi-tenant systems to block malicious sort_natural filter usage that triggers the prototype leakage side-channel.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of a public-facing template engine (T1190) to extract sensitive local system data like API keys via filter bypass (T1005).
NVD Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying…
more
on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Deeper analysisAI
CVE-2026-39412 affects LiquidJS, a Shopify and GitHub Pages compatible template engine implemented in pure JavaScript. In versions prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, enabling template authors to extract values of prototype-inherited properties via a sorting side-channel attack. This issue, rated at CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and mapped to CWE-200, exposes applications that rely on ownPropertyOnly: true as a security boundary, such as multi-tenant template systems, to information disclosure risks.
The vulnerability can be exploited by unauthenticated attackers over the network with low complexity and no user interaction required. In affected multi-tenant environments, a malicious template author could craft input that triggers the sort_natural filter to leak sensitive prototype-inherited properties, such as API keys and tokens, resulting in limited confidentiality impact without affecting integrity or availability.
LiquidJS security advisories and release notes confirm the issue is fixed in version 10.25.4. Mitigation involves upgrading to 10.25.4 or later, as detailed in the GitHub commit (e743da0020d34e2ee547e1cc1a86b58377ebe1ce), pull request #869, release tag v10.25.4, and GHSA-rv5g-f82m-qrvv advisory.
Details
- CWE(s)