PatchSiren cyber security CVE debrief
CVE-2026-44644 harttle CVE debrief
CVE-2026-44644 is a medium severity XSS vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. This issue allows attackers to bypass sanitization by placing newlines inside HTML tags, potentially leading to code execution. Developers should review and update their deployments to version 10.26.0 or later.
- Vendor
- harttle
- Product
- liquidjs
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-22
Who should care
Developers using LiquidJS versions 10.25.7 and below should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 10.26.0 or later and reviewing custom sanitization logic. Security teams should prioritize patching and monitoring for potential exploitation.
Technical summary
The strip_html filter in LiquidJS is intended to remove HTML tags from a string before rendering but does not properly handle line terminators. An attacker can bypass sanitization by placing a newline inside a tag, allowing for XSS attacks. This issue has been fixed in version 10.26.0. Developers should update to the latest version and consider additional sanitization mechanisms. Affected products using LiquidJS versions 10.25.7 and below are at risk, and defenders should verify scope through official channels and review custom sanitization logic. Evidence is limited to public sources, and further verification is recommended.
Defensive priority
Medium
Recommended defensive actions
- Update to version 10.26.0 or later
- Use a separate HTML-escape mechanism for output
- Review and update any custom sanitization logic
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-17T23:17:03.463Z and last modified on 2026-06-22T18:27:30.807Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not be comprehensive. Defenders should verify affected scope and vendor guidance through official channels.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T23:17:03.463Z and has not been modified since then. The NVD entry is currently Deferred.