cvedb.io
CVE-2026-41311
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-05-09T04:16:21.913 · Last modified 2026-06-17T10:46:29.120

Summary

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.

Affected products

liquidjs — liquidjs

Does this affect you?

Add your gear to cvedb and we'll alert you only when liquidjs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.