CVE-2026-44644
CVE-2026-44644 affects liquidjs versions 10.25.7 and earlier. The strip_html filter uses a regex where the catch‑all branch () does not match line terminators, allowing a newline inside a tag (e.g., ) to bypass sanitization. If applications render attacker-controlled input via {{ x | strip_html }...