CVE-2026-30952 is a path traversal vulnerability identified in the harttle liquidjs template engine, a JavaScript-based engine compatible with Shopify and GitHub Pages. Versions prior to 10.25.0 improperly restrict pathname inputs in the layout, render, and include tags, allowing attackers to specify absolute file paths. This flaw stems from CWE-22: Improper Limitation of a Pathname to a Restricted Directory. When dynamicPartials is enabled (default setting), Liquid variables can be used to dynamically specify file paths, which attackers can manipulate to access arbitrary files on the server filesystem. This can lead to unauthorized disclosure of sensitive data such as configuration files, source code, or credentials. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 score is 8.7 (high), reflecting the ease of exploitation and the critical confidentiality impact. The vulnerability was publicly disclosed in March 2026 and fixed in liquidjs version 10.25.0. No known exploits have been reported in the wild to date. The issue is particularly concerning for web applications that allow untrusted users to influence template content or file inclusion paths, as this can be leveraged for server-side information disclosure attacks.

The primary impact of CVE-2026-30952 is unauthorized disclosure of sensitive files on servers running vulnerable versions of liquidjs. Attackers can read arbitrary files outside the intended template directories, potentially exposing secrets such as environment variables, private keys, database credentials, or proprietary source code. This compromises confidentiality and can facilitate further attacks like privilege escalation or lateral movement. Since the vulnerability requires no authentication or user interaction, it can be exploited by remote attackers with network access to the application. The integrity and availability of the system are not directly affected, but the breach of confidentiality can have severe business and compliance consequences. Organizations relying on liquidjs for e-commerce, content management, or static site generation are at risk, especially if they allow user-supplied template content or file paths. The widespread use of liquidjs in Shopify-compatible environments and GitHub Pages increases the global attack surface. Although no active exploits are known, the vulnerability’s high CVSS score and ease of exploitation make it a critical risk that demands prompt remediation.

To mitigate CVE-2026-30952, organizations should immediately upgrade all liquidjs instances to version 10.25.0 or later, where the vulnerability is fixed. Additionally, restrict or sanitize any user input that can influence template file paths, especially when dynamicPartials is enabled. Disable dynamicPartials if dynamic file inclusion is not required. Implement strict allowlisting of template directories and enforce path normalization to prevent traversal sequences. Employ runtime monitoring and alerting for suspicious file access patterns. Conduct code reviews and security testing on templates that accept user input to ensure no arbitrary file inclusion is possible. For environments where upgrading is not immediately feasible, consider isolating the application with least privilege file system permissions to limit the impact of potential exploitation. Finally, maintain up-to-date backups and incident response plans to quickly recover from any compromise.