CVE-2026-30952: liquidjs has a path traversal fallback vulnerability
(updated )
The layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable.
References
- github.com/advisories/GHSA-wmfp-5q7x-987x
- github.com/harttle/liquidjs
- github.com/harttle/liquidjs/commit/3cd024d652dc883c46307581e979fe32302adbac
- github.com/harttle/liquidjs/pull/851
- github.com/harttle/liquidjs/pull/855
- github.com/harttle/liquidjs/security/advisories/GHSA-wmfp-5q7x-987x
- nvd.nist.gov/vuln/detail/CVE-2026-30952
Code Behaviors & Features
Detect and mitigate CVE-2026-30952 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →