A critical vulnerability (CVE-2026-45618, CVSS 10.0) was disclosed affecting LiquidJS, a widely used Node.js implementation of Shopify’s Liquid template language with over 7.3 million monthly npm downloads, allowing attackers to achieve full remote code execution via crafted template input. Due to the potential for complete host compromise with no authentication required, immediate patching is required.

About CVE-2026-45618

The issue originates from LiquidJS’s filter evaluation logic, where improper input handling during template rendering leads to uncontrolled access to internal JavaScript execution contexts. By sending a specially crafted template expression using the valueOf filter (1|valueOf), attackers can access the internal execution context, chain prototype manipulation techniques to extract references to internal engine objects (parser, loader, filters), and ultimately reach the JavaScript Function constructor for arbitrary command execution. No authentication or user interaction is required to exploit this issue.

At the time of writing, a proof-of-concept exploit is publicly available demonstrating file reads (e.g., /etc/passwd) and arbitrary command execution via child_process.execSync, and the CCB Belgium national CERT has issued an advisory urging immediate patching. The severity, ease of exploitation, and public availability of exploit code make this vulnerability extremely high risk, especially in internet-facing deployments.

Affected Systems

The following component is affected: the liquidjs npm package, all versions prior to 10.26.0. This package is used across web applications, CMS platforms, email templating systems, and any Node.js service that processes Liquid templates. Any application rendering attacker-controlled or untrusted template content through LiquidJS is vulnerable. Other frameworks or services relying on LiquidJS as a transitive dependency may also be impacted.

Users should upgrade to LiquidJS version 10.26.0 or later without delay. Organizations that cannot patch immediately should restrict template input from untrusted sources and ensure that user-controlled content is never processed by LiquidJS until the update is applied.

Risk Impact

Successful exploitation could allow attackers to execute arbitrary system commands on the host, read sensitive files and credentials from the filesystem, and potentially pivot laterally across the infrastructure, leading to service disruption, data exposure, or full infrastructure compromise. The CVSS vector confirms that the scope of compromise extends beyond the vulnerable component itself (Changed scope), meaning downstream systems and data are also at risk.

How Orca Can Help

Orca enables customers to quickly identify assets running vulnerable versions of the liquidjs npm package, understand their exposure in context, including internet accessibility, runtime reachability, and asset criticality, and prioritize remediation based on real risk rather than CVSS alone. Orca’s agentless SideScanning detects the affected package across workloads without requiring agents, and the platform highlights affected assets directly in the vulnerability findings view, helping security teams focus on the most critical remediation paths first.

Orca Security platform dashboard displaying a critical 10.0 CVSS Remote Code Execution flaw in LiquidJS (CVE-2026-45618) and the Gitea registry leak alert.
From the News Item in the Orca Platform