CVE-2026-44646 harttle CVE debrief

Who should care

Developers who use LiquidJS in their applications, especially those who use the `{% render %}` tag, should be aware of this vulnerability. Updating to version 10.26.0 or later can prevent potential exploitation. This issue may be of particular interest to developers who use LiquidJS with untrusted render inputs.

Technical summary

The `Context.spawn()` method in LiquidJS creates a child context for the `{% render %}` tag but does not propagate the parent context's resolved `ownPropertyOnly` value. This results in a silent bypass, allowing prototype-chain properties to leak from inside any `{% render %}` partial. The new context re-derives `ownPropertyOnly` from `opts.ownPropertyOnly` (the instance-level option), silently discarding any `RenderOptions.ownPropertyOnly` override supplied to `parseAndRender()`. This issue has a CVSS score of 5.3 and is classified as medium severity.

Defensive priority

High

Recommended defensive actions

• Update LiquidJS to version 10.26.0 or later
• Review and update any custom templates that use the `{% render %}` tag
• Ensure that `ownPropertyOnly` is set to `true` for untrusted render inputs
• Monitor for any suspicious activity or errors related to LiquidJS
• Consider implementing additional security measures, such as input validation and sanitization

Evidence notes

The information provided is based on the official CVE record and NVD detail. The vulnerability has been fixed in version 10.26.0, and developers are advised to update to the latest version. The issue is related to the `Context.spawn()` method and the `{% render %}` tag in LiquidJS.

Official resources