CVE-2026-45357: Liquidjs Unvalidated Fs Fallback

A file path retrieved from `fs.fallback` is yielded without executing an authorization or path boundary check (e.g., `isAllowed`). This omission bypassed the directory sandbox, leading to a path traversal vulnerability.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0typescript

greprules fetch cve-2026-45357-liquidjs-unvalidated-fs-fallback --engine opengrep

Description

A file path retrieved from `fs.fallback` is yielded without executing an authorization or path boundary check (e.g., `isAllowed`). This omission bypassed the directory sandbox, leading to a path traversal vulnerability.

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License: Apache-2.0
Source context: Public repository
Source: Provally CVE rule catalog
Validation status: Verified
Trust signals: 115 downloads
0 direct115 via packs
· 0 stars · Trust score 61How trust works
Included packs: 2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark useful Report false positive Suggest metadata