Back to overview

CVE-2026-55865

HIGH
7.1
CVSS 4.0
Description
Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.1, given a malformed {% case %} tag without an associated {% when %} or {% else %} block and no terminating {% endcase %} tag, Python Liquid hangs in an infinite loop at parse time because liquid.TokenStream.eof did not give the EOF token matching kind and value fields, allowing malicious template authors to craft templates for a denial of service attack. This issue is fixed in version 2.2.1.

Metadata

CVE ID
CVE-2026-55865
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 16:44 UTC
Published
2026-07-09 20:34 UTC
Last updated
2026-07-09 20:34 UTC
Primary CWE
CWE-835
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loo…
Vendor / Product
jg-rp / liquid
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
jg-rp liquid < 2.2.1
Weakness (CWE)
CWESourceDescription
CWE-835 cna CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References (3)
Back to overview