{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/liquidjs--10.26.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["liquidjs (\u003c 10.26.0)"],"_cs_severities":["critical"],"_cs_tags":["rce","template-injection","liquidjs"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA remote code execution vulnerability has been identified in LiquidJS, a template engine for JavaScript. This vulnerability, affecting versions prior to 10.26.0, allows attackers to execute arbitrary code by crafting malicious templates. The exploit involves manipulating the \u003ccode\u003evalueOf\u003c/code\u003e filter to gain access to the template context and then leveraging function calls through a comparable gadget. By overwriting key functions like \u003ccode\u003ethis.loader.lookup\u003c/code\u003e and \u003ccode\u003ethis.readFile\u003c/code\u003e, attackers can control the parsing process and ultimately obtain a reference to the \u003ccode\u003eFunction\u003c/code\u003e constructor, enabling arbitrary code execution. This vulnerability poses a significant risk to applications using vulnerable versions of LiquidJS, potentially leading to complete system compromise. The vulnerability was published on 2026-05-27.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a LiquidJS template containing malicious code.\u003c/li\u003e\n\u003cli\u003eThe template uses the \u003ccode\u003evalueOf\u003c/code\u003e filter to gain access to the template context (\u003ccode\u003ethis\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the \u003ccode\u003egroup_by\u003c/code\u003e filter to call functions via the comparable gadget.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003estoreFn\u003c/code\u003e to assign values within the template, targeting \u003ccode\u003efs.readFileSync\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites \u003ccode\u003ethis.loader.lookup\u003c/code\u003e and \u003ccode\u003ethis.readFile\u003c/code\u003e to control file parsing.\u003c/li\u003e\n\u003cli\u003eA reference to the \u003ccode\u003eFunction\u003c/code\u003e constructor is obtained through manipulated filters.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a payload to execute arbitrary code using the \u003ccode\u003eFunction\u003c/code\u003e constructor.\u003c/li\u003e\n\u003cli\u003eThe payload is executed, resulting in remote code execution on the server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on systems running vulnerable versions of LiquidJS (versions prior to 10.26.0). This can lead to complete system compromise, including data theft, modification, or destruction, as well as the potential for lateral movement within the network. Given the critical nature of remote code execution, any application using LiquidJS is at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LiquidJS to version 10.26.0 or later to patch CVE-2026-45618.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LiquidJS RCE via Template Injection\u0026rdquo; to identify exploitation attempts within your environment.\u003c/li\u003e\n\u003cli\u003eSanitize user-supplied templates to prevent injection of malicious code.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation to prevent attackers from controlling template content.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T18:28:26Z","date_published":"2026-05-27T18:28:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-liquidjs-rce/","summary":"A remote code execution vulnerability exists in LiquidJS versions prior to 10.26.0, where crafted templates can execute arbitrary code by manipulating the `valueOf` filter and leveraging function calls via a comparable gadget.","title":"LiquidJS Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-liquidjs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Liquidjs (\u003c 10.26.0)","version":"https://jsonfeed.org/version/1.1"}