CVE-2026-39859
Published: 08 April 2026
Summary
CVE-2026-39859 is a high-severity Path Traversal (CWE-22) vulnerability in Liquidjs Liquidjs. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the path traversal vulnerability in LiquidJS by identifying and applying patches such as upgrading to version 10.25.3.
Validates and sanitizes file paths passed to renderFile() and parseFile() to block traversal sequences like '../', preventing arbitrary file disclosure.
Establishes and maintains secure configuration settings for LiquidJS root directory to ensure it is non-empty and properly constrains file access boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing LiquidJS template engine enables remote unauthenticated arbitrary file read (T1190 for exploitation of public-facing app; T1005 for direct data collection from local system files).
NVD Description
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance…
more
configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.
Deeper analysisAI
CVE-2026-39859 is a path traversal vulnerability (CWE-22) in LiquidJS, a pure JavaScript template engine compatible with Shopify and GitHub Pages. The issue affects versions prior to 10.25.3, where the documented root directory constraint for filenames passed to renderFile() and parseFile() is not enforced during top-level file loads. This allows an attacker to bypass the root boundary when a Liquid instance is configured with an empty temporary directory as root, enabling the disclosure of arbitrary file contents on the server.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely with low complexity and no privileges or user interaction required. An unauthenticated attacker who can influence file paths processed by a vulnerable LiquidJS instance—such as through user-supplied templates or inputs in a web application—can achieve arbitrary file read access, potentially exposing sensitive data like configuration files, source code, or credentials.
The GitHub security advisory (GHSA-v273-448j-v4qj) confirms the vulnerability and states it is fixed in LiquidJS version 10.25.3, recommending immediate upgrades for all affected installations. No workarounds are detailed beyond ensuring proper root directory configuration and validating inputs, with practitioners advised to review deployments using LiquidJS in server-side rendering contexts.
Details
- CWE(s)