Lucene search
K

4 matches found

NVD
NVD
added 2026/06/17 11:17 p.m.8 views

CVE-2026-44646

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new...

5.3CVSS0.00271EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/17 10:25 p.m.28 views

CVE-2026-44646 LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new...

5.3CVSS0.00271EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/27 12:28 a.m.13 views

Insecure Default Initialization of Resource

Overview liquidjs is an A simple, expressive, safe and Shopify compatible template engine in pure JavaScript. Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the Context.spawn function. An attacker can access prototype-chain properties of objects...

6.9CVSS5.8AI score0.00271EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/27 12:28 a.m.17 views

LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

Summary Context.spawn in liquidjs creates a child Context for the % render % tag but does not propagate the parent context's resolved ownPropertyOnly value. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly the instance-level option, silently discarding any...

5.3CVSS6AI score0.00811EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder