CVE-2026-44644 LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the striphtml filter logic. The striphtml filter is intended to remove HTML tags from a string before rendering, and is widely used as an XS...

GHSA-R7G9-XPMJ-5FCQ LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex

Summary The built-in striphtml filter in liquidjs uses a regex containing four lazy-quantified alternatives. When the input contains many |||/g, '' The regex contains four lazy patterns: 1. 2. 3. 4. For an input like 'script'.repeatN, the engine encounters N starting positions. At each one it mus...

PT-2026-44156

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description The built-in strip html filter uses a regular expression containing four flawed lazy-quantified alternatives. When processing input with numerous script, style, or !-- opener tokens that lack...

PT-2026-43458

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.26.0 Description A flaw in the strip html filter logic allows for Cross-Site Scripting XSS. The filter is designed to remove HTML tags from strings to act as a sanitizer; however, it uses a regular expression wher...

Cross-site Scripting (XSS)

Overview league/commonmark is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the DisallowedRawHtml extension when a newline, tab, or...