CVE-2026-55865
Deferred Deferred - Pending Action

Python Liquid Template Engine Infinite Loop via Malformed Case Tag

Vulnerability report for CVE-2026-55865, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.1, given a malformed {% case %} tag without an associated {% when %} or {% else %} block and no terminating {% endcase %} tag, Python Liquid hangs in an infinite loop at parse time because liquid.TokenStream.eof did not give the EOF token matching kind and value fields, allowing malicious template authors to craft templates for a denial of service attack. This issue is fixed in version 2.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-11
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
python_liquid python_liquid to 2.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Python Liquid, a Python engine for the Liquid template language. Before version 2.2.1, if a template contained a malformed {% case %} tag without an associated {% when %} or {% else %} block and lacked a terminating {% endcase %} tag, the parser would enter an infinite loop during parsing. This happens because the internal token stream did not properly signal the end of file for this malformed structure, allowing malicious template authors to craft templates that cause the engine to hang indefinitely.

Impact Analysis

The vulnerability can be exploited to cause a denial of service (DoS) attack by making the Python Liquid engine hang in an infinite loop during template parsing. This can lead to resource exhaustion, making the affected application unresponsive or unavailable.

Mitigation Strategies

To mitigate this vulnerability, upgrade Python Liquid to version 2.2.1 or later, where the issue has been fixed.

Compliance Impact

The vulnerability in Python Liquid allows for a denial of service attack through an infinite loop caused by malformed template tags. Such denial of service issues can impact system availability, which is a factor in compliance with standards like GDPR and HIPAA that require ensuring availability and reliability of systems processing sensitive data.

However, the provided information does not explicitly describe the impact of this vulnerability on compliance with specific regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55865. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart