Warning: Critical remote code execution affects LiquidJS, Patch Immediately!

• Last update: 28/05/2026
• Affected software: LiquidJS
• Type: Remote Code Execution
• CVE/CVSS
  → CVE-2026-45618: CVSS DD (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

GitHub Advisory - https://github.com/advisories/GHSA-gf2q-c269-pqgc

Risks

There is a vulnerability in LiquidJS – CVE-2026-45618 – that enables a remote attacker to craft malicious templates in order to perform remote code execution on compromised systems.

LiquidJS is a JavaScript implementation of the Liquid template language (originally created by Shopify) used to generate dynamic HTML content. It acts as a bridge, combining raw data with design templates to output the final webpages you see in a browser. This means this framework is most likely to be found as part of web applications hosted on webservers.

LiquidJS is a very popular template engine with millions of downloads every week. Threat actors will likely attempt to exploit this vulnerability in order to fully compromise vulnerable systems.

Description

CVE-2026-45618 is a critical code injection vulnerability affecting LiquidJS. Successful exploitation enables a remote, unauthenticated attacker to execute arbitrary code with crafted templates.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices or code bases using LiquidJS with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.