CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-44644

mediumCVSS 6.1covered by 1 sourcefirst seen 2026-05-27
Summary The strip_html filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r character passes through unmodified. An attacker who can place a newline inside a tag (e.g. <img\nsrc=x\nonerror=alert(1)>) bypasses sanitization entirely, since browsers treat newlines as whitespace within a tag and execute the resulting onerror/onload/etc. handler. This results in stored or reflected XSS in any application that relies on strip_html to neutralize untrusted HTML. Details The vulnerable code is in src/filters/html.ts: // src/filters/html.ts:45-49 export function strip_html (this: FilterImpl, v: string) { const str = stringify(v) this.context.memoryLimit.use(str.length) return str.replace(/<script[\s\S]*?<\/script>|<style[\s\S]*?<\/style>|<.*?>|<!--[\s\S]*?-->/g, '') } The regex has four alternations: 1. <script[\s\S]*?<\/script> — uses [\s\S], matches across newlines. 2. <style[\s\S]*?<\/style> — uses [\s\S], matches across newlines. 3. <.*?> — uses ., which in JavaScript does not match \n or \r (no s/dotAll flag set). 4. <!--[\s\S]*?--> — uses [\s\S], matches across newlines. Branch 3 is the catch-all for "any other tag." Because . excludes line terminators, a tag containing a newline does not match any alternative. The literal characters of the tag are passed through to the output. Browsers, however, parse HTML tag content with whitespace tolerance: per the HTML spec, attribute names and values may be separated by ASCII whitespace, which includes \n and \r. So <img\nsrc=x\nonerror=alert(1)> is parsed as a valid img element with an onerror handler. liquidjs' default rendering pipeline does not auto-escape filter output (the outputEscape engine option is undefined by default — see src/liquid-options.ts), so the unescaped HTML is delivered verbatim to the consumer's HT

⚡ Watch CVE-2026-44644

Get an email if CVE-2026-44644 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-44644

CVE.org record

Embed the live status

CVE-2026-44644 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-44644 status](https://www.csirts.com/badge/CVE-2026-44644)](https://www.csirts.com/cve/CVE-2026-44644)