GHSA-8XX9-69P8-7JP3 LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body

Summary The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render call" — can be fully bypassed by a % for % or % tablerow % tag whose body is empty. The per-iteration time check is reached only when the...

PT-2026-43459

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description LiquidJS is a template engine written in JavaScript. A flaw exists where the renderLimit option, designed to mitigate Denial of Service DoS by limiting the time consumed by each render call, can b...