Liquidjs CVSS 10 RCE Threatens 7.3M Monthly Users

Security researchers recently uncovered a maximum-severity flaw in a highly popular template engine. Specifically, this newly disclosed Liquidjs remote code execution vulnerability exposes millions of downstream projects to complete system takeover. Liquidjs serves as a core tool for JavaScript developers porting Shopify, Jekyll, or GitHub Pages templates to Node.js. Because the package boasts over 7.3 million monthly downloads, the potential attack surface is massive.

Exploit Mechanics and the Prototype Gadget

The security vulnerability tracks as CVE-2026-45618 and carries a perfect CVSS score of 10. This critical rating reflects how easily an attacker can compromise a vulnerable host. Technically, the issue stems from an input validation flaw during filter evaluation. The engine inadvertently evaluates the valueOf filter expression to return the internal execution context. Consequently, this exposure enables malicious function calls with controlled arguments.

Achieving System Takeover

By utilizing this core template engine vulnerability, an attacker can overwrite critical properties like this.loader.lookup and this.readFile. After modifying these internal lookup functions, the exploit gains full control over what flows into the parser component. Ultimately, the attacker can extract a direct reference to the JavaScript Function constructor. This reference allows the execution of arbitrary system commands on the hosting platform. For example, proof-of-concept tests show that an adversary can easily read sensitive local files like /etc/passwd.

Remediation Requirements

Fortunately, the maintainers have addressed this dangerous Liquidjs remote code execution bug. Security teams must act quickly to inventory their development setups.

• First, check if your codebase uses a vulnerable version at or below 10.25.7.
• Next, update your software installation immediately to patched version 10.27.0.