Cyber Resilience

CVE-2026-39412

MediumPublic PoC

Published: 08 April 2026

Published
08 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0002 5.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39412 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-39412 affects LiquidJS, a Shopify and GitHub Pages compatible template engine implemented in pure JavaScript. In versions prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, enabling template authors to extract values of prototype-inherited properties via a sorting side-channel attack. This issue, rated at CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) and mapped to CWE-200, exposes applications that rely on ownPropertyOnly: true as a security boundary, such as multi-tenant template systems, to information disclosure risks.

The vulnerability can be exploited by unauthenticated attackers over the network with low complexity and no user interaction required. In affected multi-tenant environments, a malicious template author could craft input that triggers the sort_natural filter to leak sensitive prototype-inherited properties, such as API keys and tokens, resulting in limited confidentiality impact without affecting integrity or availability.

LiquidJS security advisories and release notes confirm the issue is fixed in version 10.25.4. Mitigation involves upgrading to 10.25.4 or later, as detailed in the GitHub commit (e743da0020d34e2ee547e1cc1a86b58377ebe1ce), pull request #869, release tag v10.25.4, and GHSA-rv5g-f82m-qrvv advisory.

EU & UK References

Vulnerability details

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying…

more

on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability enables remote unauthenticated exploitation of a public-facing template engine (T1190) to extract sensitive local system data like API keys via filter bypass (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39859Same product: Liquidjs Liquidjs
CVE-2026-35525Same product: Liquidjs Liquidjs
CVE-2026-30952Same product: Liquidjs Liquidjs
CVE-2026-33285Same product: Liquidjs Liquidjs
CVE-2026-33287Same product: Liquidjs Liquidjs
CVE-2026-41311Same product: Liquidjs Liquidjs
CVE-2025-22973Shared CWE-200
CVE-2024-43707Shared CWE-200
CVE-2024-13606Shared CWE-200
CVE-2024-13622Shared CWE-200

Affected Assets

liquidjs
liquidjs
≤ 10.25.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in the sort_natural filter by requiring timely patching to LiquidJS version 10.25.4 or later, preventing the prototype property disclosure.

detect

Vulnerability scanning identifies systems running vulnerable LiquidJS versions prior to 10.25.4 affected by this information disclosure CVE.

prevent

Validates and sanitizes untrusted template inputs in multi-tenant systems to block malicious sort_natural filter usage that triggers the prototype leakage side-channel.

References