Description
The layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default).
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.25.0
- Patched version(s): 10.25.0
References
Related Issues
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
- ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction - CVE-2026-32731
- SignalK Server has Path Traversal leading to information disclosure - CVE-2026-25228
- jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on March 12, 2026