PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44644 harttle CVE debrief

CVE-2026-44644 is a medium severity XSS vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. This issue allows attackers to bypass sanitization by placing newlines inside HTML tags, potentially leading to code execution. Developers should review and update their deployments to version 10.26.0 or later.

Vendor
harttle
Product
liquidjs
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-22
Advisory published
2026-06-17
Advisory updated
2026-06-22

Who should care

Developers using LiquidJS versions 10.25.7 and below should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 10.26.0 or later and reviewing custom sanitization logic. Security teams should prioritize patching and monitoring for potential exploitation.

Technical summary

The strip_html filter in LiquidJS is intended to remove HTML tags from a string before rendering but does not properly handle line terminators. An attacker can bypass sanitization by placing a newline inside a tag, allowing for XSS attacks. This issue has been fixed in version 10.26.0. Developers should update to the latest version and consider additional sanitization mechanisms. Affected products using LiquidJS versions 10.25.7 and below are at risk, and defenders should verify scope through official channels and review custom sanitization logic. Evidence is limited to public sources, and further verification is recommended.

Defensive priority

Medium

Recommended defensive actions

  • Update to version 10.26.0 or later
  • Use a separate HTML-escape mechanism for output
  • Review and update any custom sanitization logic
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T23:17:03.463Z and last modified on 2026-06-22T18:27:30.807Z. The NVD entry is currently Deferred. Evidence is limited to public sources and may not be comprehensive. Defenders should verify affected scope and vendor guidance through official channels.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T23:17:03.463Z and has not been modified since then. The NVD entry is currently Deferred.