CVE-2026-45017

Source
https://cve.org/CVERecord?id=CVE-2026-45017
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45017.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45017
Aliases
Downstream
Related
Published
2026-05-28T14:24:27.928Z
Modified
2026-07-08T08:13:29.272605688Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Python Liquid: Absolute paths escape filesystem loader search path
Details

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45017.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/jg-rp/liquid

Affected ranges

Type
GIT
Repo
https://github.com/jg-rp/liquid
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:jg-rp:python_liquid:*:*:*:*:*:python:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.0"
        }
    ]
}

Affected versions

v0.*
v0.6.2
v0.7.2
v0.7.7
v0.8.0
v0.9.0
v1.*
v1.0.0
v1.1.0
v1.1.3
v1.1.5
v1.1.7
v1.10.0
v1.10.2
v1.11.0
v1.12.0
v1.12.1
v1.12.2
v1.13.0
v1.2.0
v1.3.0
v1.4.0
v1.4.3
v1.4.5
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.7.0
v1.8.0
v1.8.1
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45017.json"