CVE-2026-45017 HIGH

CVE-2026-45017: Python Liquid: Absolute paths escape filesystem loader search path

Vendor Jg-Rp

Product liquid

Weakness CWE-22 · Path traversal

Published May 28, 2026

Last update May 28, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.

Key dates

Disclosure timeline

May 28, 2026 CVE published

May 28, 2026 Record updated