Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-44646
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-17 Jun, 2026 | 22:25
Updated At-18 Jun, 2026 | 13:53
Rejected At-
▼CVE Numbering Authority (CNA)
LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`

LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. In versions 10.25.7 and below, Context.spawn() creates a child Context for the {% render %} tag but does not propagate the parent context's resolved ownPropertyOnly value, resulting in a silent bypass. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly (the instance-level option), silently discarding any RenderOptions.ownPropertyOnly override that was supplied to parseAndRender(). As a result, a developer who runs a Liquid instance with the backwards-compatible ownPropertyOnly:false and then locks down an untrusted render with parseAndRender(..., { ownPropertyOnly: true }) still leaks prototype-chain properties from inside any {% render %} partial. This is a distinct exploit surface from the previously identified array-filter variants (where, reject, group_by, find, find_index, has) — the underlying root cause in Context.spawn() is shared, but {% render %} is a separately reachable sink that needs no filter usage. This issue has been fixed in version 10.26.0.

Affected Products
Vendor
harttle
Product
liquidjs
Versions
Affected
  • < 10.26.0
Problem Types
TypeCWE IDDescription
CWECWE-693CWE-693: Protection Mechanism Failure
Type: CWE
CWE ID: CWE-693
Description: CWE-693: Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/harttle/liquidjs/security/advisories/GHSA-9x9p-qf8f-mvjg
x_refsource_CONFIRM
https://github.com/harttle/liquidjs/commit/dbbf6288030591bf6da28d8c1cce5a17bca97bb6
x_refsource_MISC
https://github.com/harttle/liquidjs/releases/tag/v10.26.0
x_refsource_MISC
Hyperlink: https://github.com/harttle/liquidjs/security/advisories/GHSA-9x9p-qf8f-mvjg
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/harttle/liquidjs/commit/dbbf6288030591bf6da28d8c1cce5a17bca97bb6
Resource:
x_refsource_MISC
Hyperlink: https://github.com/harttle/liquidjs/releases/tag/v10.26.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/harttle/liquidjs/security/advisories/GHSA-9x9p-qf8f-mvjg
exploit
Hyperlink: https://github.com/harttle/liquidjs/security/advisories/GHSA-9x9p-qf8f-mvjg
Resource:
exploit
Details not found