cvedb.io
CVE-2026-39412
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2026-04-08T20:16:25.733 · Last modified 2026-06-17T10:42:04.483

Summary

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.

Affected products

liquidjs — liquidjs

Does this affect you?

Add your gear to cvedb and we'll alert you only when liquidjs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.