PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55865 jg-rp CVE debrief

CVE-2026-55865 is a denial of service vulnerability in Python Liquid, a Python engine for the Liquid template language. Prior to version 2.2.1, a malformed {% case %} tag without an associated {% when %} or {% else %} block and no terminating {% endcase %} tag can cause an infinite loop at parse time. This issue allows malicious template authors to craft templates for a denial of service attack. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Affected product deployments should be identified and owners assigned for follow-up.

Vendor
jg-rp
Product
liquid
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-09
Original CVE updated
2026-07-10
Advisory published
2026-07-09
Advisory updated
2026-07-10

Who should care

Users of Python Liquid, especially those who use it to render user-supplied templates, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 2.2.1 or later and being cautious when using user-supplied templates. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability and implement necessary controls.

Technical summary

The vulnerability exists in the liquid.TokenStream.eof method, which did not properly handle the EOF token matching kind and value fields. This allowed an attacker to craft a malformed {% case %} tag that would cause the parser to enter an infinite loop. The issue is fixed in version 2.2.1, which properly handles the EOF token and prevents the infinite loop. Affected product context indicates Python Liquid versions prior to 2.2.1 are vulnerable.

Defensive priority

High

Recommended defensive actions

  • Update Python Liquid to version 2.2.1 or later
  • Be cautious when using user-supplied templates
  • Monitor for suspicious template usage
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record was published on 2026-07-09T21:16:56.277Z and last modified on 2026-07-10T19:19:42.207Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify affected product deployments and review official advisories for scope and guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-09T21:16:56.277Z and has not been modified since then. The NVD entry is currently Deferred.