Lucene search
K

292 matches found

Cvelist
Cvelist
added 2026/05/28 2:24 p.m.34 views

CVE-2026-45017 Python Liquid: Absolute paths escape filesystem loader search path

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

8.2CVSS0.00335EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.10 views

PT-2026-45982

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and...

7.5CVSS5.9AI score
Exploits0References2
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.11 views

Python Liquid 路径遍历漏洞

Python Liquid is a Python engine developed by James for processing Liquid templates. Versions of Python Liquid prior to 2.2.0 had a path traversal vulnerability. This vulnerability stemmed from the lack of protection in FileSystemLoader and CachingFileSystemLoader against reading absolute paths,...

8.2CVSS5.8AI score0.00335EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/27 12:9 a.m.12 views

Cross-site Scripting (XSS)

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the striphtml filter, which fails to properly remove HTML tags containing newline characters. An attacker...

6.1CVSS5.8AI score0.00203EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/11 2:57 p.m.11 views

Directory Traversal

Overview python-liquid is an A Python engine for the Liquid template language. Affected versions of this package are vulnerable to Directory Traversal via the FileSystemLoader and CachingFileSystemLoader components. An attacker can access and render arbitrary files outside the intended search pat...

8.2CVSS6.3AI score0.00335EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/11 2:57 p.m.7 views

pharia-inference-sdk (=0.1.0) potentially affected by CVE-2026-45017 via python-liquid (=2.0.2)

python-liquid PYPI version =2.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on python-liquid and may be impacted: - pharia-inference-sdk =0.1.0 Source cves: CVE-2026-45017 Source advisory: SNYK:PYTHON-PYTHONLIQUID-16734457...

8.2CVSS5.8AI score0.00335EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/11 2:57 p.m.10 views

blrec (>=1.8.0 <=2.0.0b5), dagster-looker (>=0.26.6 <=0.29.8) +6 more potentially affected by CVE-2026-45017 via python-liquid (>=1.10.2 <=2.0.2)

python-liquid PYPI version =1.10.2, =1.8.0, =0.26.6, =0.8.0, =0.1.1, =0.1.0, =0.1.0, =0.4.0, =0.0.1, =0.3.0 Source cves: CVE-2026-45017 Source advisory: OSV:GHSA-8P4X-WR7X-3788...

8.2CVSS5.7AI score0.00335EPSS
Exploits0
OSV
OSV
added 2026/05/11 2:57 p.m.5 views

GHSA-8P4X-WR7X-3788 python-liquid: Absolute paths escape filesystem loader search path

Impact The built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the % include % and % render % tags. Targeted files...

8.2CVSS5.9AI score0.00335EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.12 views

PT-2026-35030

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.25.7 Description A circular block reference within % layout % and % block % tags can trigger an infinite recursive loop. This occurs in the getBlockRender function within src/tags/block.ts during OUTPUT mode; when...

7.5CVSS5.8AI score0.00382EPSS
Exploits1References9
EUVD
EUVD
added 2026/04/08 3:3 p.m.3 views

EUVD-2026-20594

LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates...

8.2CVSS5.9AI score0.00396EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.6 views

PT-2026-31348

Name of the Vulnerable Software and Affected Versions: LiquidJS versions prior to 10.25.3 Description: LiquidJS is a template engine. A flaw exists in the 'replace' filter when the 'memoryLimit' option is enabled. The memory usage calculation incorrectly accounts for the size of the output string...

3.7CVSS5.9AI score0.00495EPSS
Exploits1References8
EUVD
EUVD
added 2026/03/23 3:30 p.m.6 views

EUVD-2019-19988

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

6.9CVSS5.9AI score0.00174EPSS
Exploits1References5
NVD
NVD
added 2026/03/23 2:16 p.m.4 views

CVE-2019-25624

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

6.9CVSS0.00174EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/03/23 1:48 p.m.4 views

CVE-2019-25624 Liquid Studio 2.17 Denial of Service via Malformed Input

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

6.9CVSS5.9AI score0.00174EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/23 1:48 p.m.1 views

CVE-2019-25624

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

6.9CVSS5.9AI score0.00174EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/03/23 1:48 p.m.15 views

CVE-2019-25624

CVE-2019-25624 affects Liquid Studio 2.17 with a denial-of-service vulnerability. Local attackers can crash the application by providing malformed keyboard input during runtime (arbitrary characters), leading to unresponsiveness or abnormal termination. CVSS metrics indicate LOCAL access, low att...

6.9CVSS5.9AI score0.00174EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/03/23 1:48 p.m.25 views

CVE-2019-25624 Liquid Studio 2.17 Denial of Service via Malformed Input

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

6.9CVSS0.00174EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.10 views

Pixarra Liquid Studio 安全漏洞

Pixarra Liquid Studio is a digital art creation software developed by the American company Pixarra. It focuses on creating works in the “organic block-style” style, suitable for concept art, illustrations, textures, backgrounds, and the rendering of natural forms. Version 2.17 of Pixarra Liquid...

6.9CVSS5.8AI score0.00174EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/23 12:0 a.m.9 views

PT-2026-27130

Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causing the...

6.9CVSS5.9AI score0.00174EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/03/20 9:50 a.m.3 views

CVE-2026-33130

Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection SSTI. The three mitigations added to the Liquid engine root, relativeReference, dynamicPartials only block...

6.5CVSS5.7AI score0.0034EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder