Description
The layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default).
Recommendation
Update the liquidjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 10.25.0
- Patched version(s): 10.25.0
References
Related Issues
- SillyTavern has a Path Traversal issue - CVE-2026-44650
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
- i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
You might also like:
- Tags:
- npm
- liquidjs
Anything's wrong? Let us know Last updated on March 12, 2026