PatchSiren

harttle CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH harttle CVE published 2026-06-17

CVE-2026-45357

CVE-2026-45357 is a high-severity vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine. The vulnerability allows for memory and render limit bypass, potentially leading to large memory allocations, high CPU usage, or OOM crashes per render. This issue was fixed in version 10.26.0. Users of LiquidJS should update to the latest version to mitigate this vulnerability. The vulnerabilit [truncated]

MEDIUM harttle CVE published 2026-06-17

CVE-2026-44646

CVE-2026-44646 is a medium-severity vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine. The issue allows for a silent bypass of the `ownPropertyOnly` value in the `Context.spawn()` method, which is used in the `{% render %}` tag. This can lead to a leak of prototype-chain properties from inside any `{% render %}` partial. The vulnerability has been fixed in version 10.26.0. Devel [truncated]

HIGH harttle CVE published 2026-05-09

CVE-2026-41311

CVE-2026-41311 is a denial-of-service vulnerability in LiquidJS. A circular {% layout %}/{% block %} reference can trigger an infinite recursive loop, consuming available memory and crashing the Node.js process. The issue is fixed in LiquidJS 10.25.7, and teams that accept untrusted Liquid templates should prioritize upgrading and adding template validation controls.