CVE-2026-45357 is a high-severity vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine. The vulnerability allows for memory and render limit bypass, potentially leading to large memory allocations, high CPU usage, or OOM crashes per render. This issue was fixed in version 10.26.0. Users of LiquidJS should update to the latest version to mitigate this vulnerability. The vulnerabilit [truncated]
CVE-2026-44646 is a medium-severity vulnerability in LiquidJS, a Shopify/GitHub Pages compatible template engine. The issue allows for a silent bypass of the `ownPropertyOnly` value in the `Context.spawn()` method, which is used in the `{% render %}` tag. This can lead to a leak of prototype-chain properties from inside any `{% render %}` partial. The vulnerability has been fixed in version 10.26.0. Devel [truncated]
CVE-2026-41311 is a denial-of-service vulnerability in LiquidJS. A circular {% layout %}/{% block %} reference can trigger an infinite recursive loop, consuming available memory and crashing the Node.js process. The issue is fixed in LiquidJS 10.25.7, and teams that accept untrusted Liquid templates should prioritize upgrading and adding template validation controls.