CVE-2026-35525

Name of the Vulnerable Software and Affected Versions LiquidJS versions prior to 10.25.3

Description LiquidJS does not resolve the canonical filesystem path before opening files when processing {% include %}, {% render %}, and {% layout %} directives. This allows an attacker to leverage symlinks placed within allowed partials or layouts directories to access and render files outside the intended template root. The issue arises because the path-based check for directory containment is bypassed when a symlink points to a file outside the allowed root. This could potentially expose arbitrary readable files. The vulnerability is relevant in environments where an attacker can influence files under a trusted template root, such as uploaded themes or repository-controlled template trees.

Recommendations Update LiquidJS to version 10.25.3 or later.