0Xhunsecanalyst

**Name of the Vulnerable Software and Affected Versions** Python Liquid versions prior to 2.2.0 **Description** The built-in `FileSystemLoader` and `CachingFileSystemLoader` do not prevent reading files outside their designated search paths when an absolute path is provided. This allows malicious template authors to load and render arbitrary files using the `{% include %}` and `{% render %}` tags, provided the targeted files contain valid Liquid markup and are readable by the application process. **Recommendations** Update to version 2.2.0. As a temporary workaround, create a custom template loader by inheriting from `FileSystemLoader` and overriding the `resolve path()` function to ensure absolute paths and parent directory references are blocked.