CVE-2026-44644
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
LiquidJS, a template engine compatible with Shopify/GitHub Pages, has a vulnerability to XSS in versions 10.25.7 and below due to a flaw in the strip_html filter logic. This flaw allows bypassing HTML sanitization, enabling attackers to inject malicious code.
Risk Assessment
Organizations using vulnerable versions of LiquidJS may be exposed to XSS attacks, potentially leading to user data theft or session hijacking. There is a high risk in applications rendering attacker-controlled strings without additional HTML-escaping.
Recommendation
It is recommended to update LiquidJS to version 10.26.0 or later to mitigate this vulnerability. Additionally, implementing extra security measures such as HTML-escaping for rendered output is advisable.
Original NVD description (English source)
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. Exploitation is possible for applications that both render attacker-controlled strings via {{ x | strip_html }} to defend against HTML injection and do not separately HTML-escape that output (default behavior — outputEscape is unset by default). This issue has been fixed in version 10.26.0.

