CVE-2026-44644
Received Received - Intake
XSS via strip_html Filter in LiquidJS

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. Exploitation is possible for applications that both render attacker-controlled strings via {{ x | strip_html }} to defend against HTML injection and do not separately HTML-escape that output (default behavior β€” outputEscape is unset by default). This issue has been fixed in version 10.26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-44644
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
liquidjs liquidjs to 10.26.0 (exc)
liquidjs liquidjs 10.26.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in LiquidJS, a template engine written in JavaScript. Versions 10.25.7 and below have a flaw in the strip_html filter, which is supposed to remove HTML tags from strings to prevent cross-site scripting (XSS) attacks.

The flaw is due to the filter's use of a regular expression that does not match line terminators like newline characters within HTML tags. As a result, an attacker can insert newline characters inside HTML tags (for example, <img\nsrc=x\nonerror=alert(1)>) which bypasses the sanitization.

Because browsers treat newlines as whitespace inside tags, the malicious attributes like onerror or onload are executed, leading to XSS. This vulnerability can be exploited when attacker-controlled strings are rendered using the strip_html filter without additional HTML escaping.

The issue was fixed in version 10.26.0 of LiquidJS.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, allowing attackers to execute arbitrary JavaScript in the context of the affected web application.

Such attacks can result in theft of user credentials, session hijacking, defacement of websites, or distribution of malware.

If your application uses LiquidJS versions 10.25.7 or below and relies on the strip_html filter for sanitization without additional escaping, you are at risk.

Mitigation Strategies

To mitigate this vulnerability, upgrade LiquidJS to version 10.26.0 or later, where the issue with the strip_html filter has been fixed.

Additionally, ensure that output escaping (outputEscape) is enabled when rendering attacker-controlled strings to prevent XSS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart