CVE-2026-45618

Name of the Vulnerable Software and Affected Versions liquidjs versions prior to 10.26.0

Description An issue allows unauthenticated attackers to achieve remote code execution and server compromise through crafted templates. The flaw is triggered by abusing filter evaluation, prototype manipulation, and access to the Function constructor. Specifically, using 1|valueOf during filter evaluation can return this, providing access to the internal context. Attackers can then overwrite this.loader.lookup and this.readFile to control the input of the parse() function. By manipulating the prototype and obtaining a reference to the Function constructor, arbitrary commands can be executed on the server.

Recommendations Upgrade to version 10.26.0.