CVE-2026-39412

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce	Patch
https://github.com/harttle/liquidjs/pull/869	Issue Tracking Product
https://github.com/harttle/liquidjs/releases/tag/v10.25.4	Release Notes
https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv	Exploit Vendor Advisory
https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:liquidjs:liquidjs:*:*:*:*:*:node.js:*:*

History

20 Apr 2026, 14:53

Type	Values Removed	Values Added
References	~~() https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce -~~	() https://github.com/harttle/liquidjs/commit/e743da0020d34e2ee547e1cc1a86b58377ebe1ce - Patch
References	~~() https://github.com/harttle/liquidjs/pull/869 -~~	() https://github.com/harttle/liquidjs/pull/869 - Issue Tracking, Product
References	~~() https://github.com/harttle/liquidjs/releases/tag/v10.25.4 -~~	() https://github.com/harttle/liquidjs/releases/tag/v10.25.4 - Release Notes
References	~~() https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv -~~	() https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv - Exploit, Vendor Advisory
CPE		cpe:2.3:a:liquidjs:liquidjs::::::node.js::*
CWE		NVD-CWE-noinfo
First Time		Liquidjs Liquidjs liquidjs

09 Apr 2026, 14:16

Type	Values Removed	Values Added
References	~~() https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv -~~	() https://github.com/harttle/liquidjs/security/advisories/GHSA-rv5g-f82m-qrvv -

08 Apr 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 20:16

Updated : 2026-04-20 14:53

NVD link : CVE-2026-39412

Mitre link : CVE-2026-39412

CVE.ORG link : CVE-2026-39412

JSON object : View

Products Affected

liquidjs

liquidjs

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

5.3 /10