CVE-2026-34166
LowSummary
In the LiquidJS template engine, a vulnerability was found where the replace filter incorrectly accounts for memory usage when the memoryLimit option is enabled. The issue affects versions prior to 10.25.3.
Risk Assessment
An attacker could exploit this flaw to exceed the memory limit, potentially leading to resource exhaustion and denial of service (DoS).
Recommendation
Immediately update the LiquidJS library to version 10.25.3 or later, which includes a fix for this issue.
Original NVD description (English source)
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter,

