HIGH 7.5

CVE-2026-45017

Python Liquid is a templating engine used to process dynamic content. Versions before 2.2.0 contain a path traversal flaw that lets an attacker with the ability to author templates bypass security restrictions and read arbitrary files from the server. An attacker could use the {% include %} or {% render %} template tags with absolute file paths to access files outside the intended template directory. The compromised files are then processed as templates, potentially exposing their contents. This requires the attacker to have template authoring privileges and targets files readable by the application.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-22
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in Python Liquid's FileSystemLoader and CachingFileSystemLoader classes, which fail to properly validate absolute paths during template resolution. When a malicious template author specifies an absolute file path in {% include %} or {% render %} tags, the loaders do not restrict access to their configured search paths. This is a classic path traversal (CWE-22) vulnerability. An attacker can construct paths like '/etc/passwd' or other sensitive files accessible by the application process, read them as template source, and execute Liquid syntax against their contents. The vulnerability has a CVSS 3.1 score of 7.5 (High), reflecting high confidentiality impact with network-accessible attack vector and low complexity.

Business impact

This vulnerability enables information disclosure through unauthorized file access. In production deployments where untrusted users can create or modify templates—such as SaaS platforms offering template customization, CMS systems with template editors, or multi-tenant applications—an attacker could exfiltrate sensitive configuration files, environment variables, credentials, or other application data. The impact is limited to confidentiality; integrity and availability are not directly compromised. However, exposure of configuration or secrets could enable secondary attacks. Organizations using Python Liquid in environments without strict template author controls face elevated risk.

Affected systems

The vulnerability affects Python Liquid (jg-rp/python_liquid) in all versions prior to 2.2.0. Any application using affected versions of the library is potentially at risk if it allows untrusted users to author or provide template content. This includes both direct instantiation of FileSystemLoader and CachingFileSystemLoader. Verify your Python Liquid version via package management tools (pip show python-liquid) and review whether your application processes user-supplied templates.

Exploitability

Exploitability requires that an attacker can author or control template content processed by the application. The attack does not require authentication or user interaction, and exploitation is straightforward—simply providing an absolute path in a template tag. However, the targeted file must be readable by the application process and must contain or be compatible with valid Liquid markup for full impact. In environments where template authoring is restricted to administrators, risk is substantially lower. Public disclosure status and active exploitation details are not indicated in available intelligence.

Remediation

Upgrade Python Liquid to version 2.2.0 or later, which properly validates and restricts template paths to configured search directories. After patching, verify the fix in your environment by testing that absolute paths in template includes are properly rejected. For applications where immediate patching is not feasible, implement application-layer controls: restrict template authoring to trusted users only, use file system permissions to limit what the application process can read, and consider sandboxing template processing or using alternative templating engines without path traversal capabilities.

Patch guidance

Update Python Liquid via your package manager: 'pip install --upgrade python-liquid>=2.2.0' (verify the exact version number against the official PyPI repository and jg-rp project releases). Test the patch in a staging environment to ensure compatibility with your application before deploying to production. Review your dependency lock files (requirements.txt, Pipfile, poetry.lock) to confirm the update. If you maintain a private artifact repository, ensure version 2.2.0 or later is available before deploying updates.

Detection guidance

Monitor application logs for unusual template includes referencing absolute paths (e.g., paths starting with '/' or containing '..') in {% include %} or {% render %} tags. If your application logs template resolution attempts, watch for rejections or unusual file access attempts. Use file integrity monitoring on sensitive files readable by the application process to detect unauthorized reads. In code review, audit template content processed from user input and examine loader configuration to confirm path restrictions are in place. If templates are stored in version control, look for recent additions of suspicious include paths.

Why prioritize this

This vulnerability merits prioritization if your organization uses Python Liquid and allows untrusted template authoring. The HIGH CVSS score (7.5) and direct path traversal mechanism indicate meaningful risk. However, exploitability is contingent on template author privileges, which may significantly limit practical impact depending on your deployment model. Prioritize based on: (1) whether user-supplied templates are processed, (2) sensitivity of files readable by the application, and (3) whether template authors are trusted. Organizations with strict template controls may deprioritize; those with open or user-driven templating should patch urgently.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) reflects: Network-accessible attack vector (AV:N), low attack complexity requiring only template authoring capability (AC:L), no privilege or user interaction required (PR:N/UI:N), high confidentiality impact from arbitrary file read (C:H), and no direct integrity or availability impact (I:N/A:N). The score appropriately weights the information disclosure threat while acknowledging the scope limitation (files must be readable by the application and compatible with Liquid syntax). Real-world severity may vary significantly based on deployment context.

Frequently asked questions

Can this vulnerability allow remote code execution?

No. The vulnerability is limited to information disclosure through arbitrary file reading. An attacker cannot execute code directly, though exposure of credentials or configuration could enable secondary attacks. The file content is processed as Liquid template syntax, which does not support arbitrary code execution by default.

What if our application doesn't allow users to write templates?

If all templates are authored by trusted administrators and users cannot provide or modify template content, this vulnerability has minimal practical risk in your environment. However, verify this assumption carefully: check whether config files, environment variables, or other mechanisms could allow users to influence template paths indirectly.

Do we need to patch if we're running Python Liquid in a restricted sandbox?

Sandboxing reduces but does not eliminate risk. If the sandbox can only access intended template directories, the vulnerability cannot be exploited. However, defense-in-depth recommends patching anyway—sandboxes can have gaps, and the fix is straightforward.

How do we know if we're vulnerable?

Check your Python Liquid version: run 'pip show python-liquid' and compare against 2.2.0. If your version is below 2.2.0, you are vulnerable. Additionally, audit whether your application processes user-provided template content; if not, practical risk is lower but you should still patch.

This analysis is based on publicly available vulnerability data as of the publication date. Security advisories and patch status may be updated by vendors; verify current version availability and guidance from the jg-rp project. This vulnerability intelligence is provided for informational purposes to support security decision-making. Organizations should conduct their own risk assessment based on their specific deployment and threat model. No exploit code or weaponized proof-of-concept is provided. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2018-25408HIGH

    CVE-2018-25408: Open ISES Project Path Traversal Vulnerability (High Severity)

  • CVE-2024-40646HIGH

    CVE-2024-40646: Vertex Path Traversal Vulnerability – Remote File Access Risk

  • CVE-2026-10108HIGH

    CVE-2026-10108: Unauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability

  • CVE-2026-32847HIGH

    CVE-2026-32847: DeepCode Path Traversal Allows Unauthenticated Arbitrary File Read

  • CVE-2026-35082HIGH

    CVE-2026-35082: MBS Solutions Gateway Firmware Path Traversal - File Access Vulnerability

  • CVE-2026-39276HIGH

    CVE-2026-39276: Emlog Pro v2.6.9 Path Traversal Remote Code Execution

  • CVE-2026-43624HIGH

    CVE-2026-43624: F5-TTS Path Traversal Vulnerability (CVSS 8.2)

  • CVE-2026-44594HIGH

    CVE-2026-44594: Local File Inclusion in esm.sh CDN – HIGH Severity Information Disclosure