Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/handlebars@2.0.0-alpha.4

Type npm

Namespace

Name handlebars

Version 2.0.0-alpha.4

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.7.7

Latest_non_vulnerable_version 4.7.9

Affected_by_vulnerabilities

url VCID-ee9h-dvvt-qyat

vulnerability_id VCID-ee9h-dvvt-qyat

summary

XSS vulnerability due to improper value escaping
The library does not properly escape attribute values making XSS exploits possible.

references

reference_url	https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e
reference_id
reference_type
scores
url	https://github.com/wycats/handlebars.js/commit/83b8e846a3569bd366cf0b6bdc1e4604d1a2077e

reference_url	https://github.com/wycats/handlebars.js/issues/1114
reference_id
reference_type
scores
url	https://github.com/wycats/handlebars.js/issues/1114

fixed_packages

url pkg:npm/handlebars@4.0.0

purl pkg:npm/handlebars@4.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-25sr-kapq-dbea

vulnerability	VCID-7c3a-mqkm-3ycc

vulnerability	VCID-cfg5-1ju5-73b1

vulnerability	VCID-f1td-t6kf-wfcm

vulnerability	VCID-nhz2-v28w-gye1

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-uv5v-22z9-fbfg

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.0

aliases GMS-2015-33

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ee9h-dvvt-qyat

url VCID-f1td-t6kf-wfcm

vulnerability_id VCID-f1td-t6kf-wfcm

summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

references

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e

reference_url

https://github.com/handlebars-lang/handlebars.js/issues/1495

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/issues/1495

reference_url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692

reference_url

https://www.npmjs.com/advisories/755

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/755

reference_url	https://github.com/advisories/GHSA-q42p-pg8m-cqh6
reference_id	GHSA-q42p-pg8m-cqh6
reference_type
scores
url	https://github.com/advisories/GHSA-q42p-pg8m-cqh6

fixed_packages

url pkg:npm/handlebars@3.0.7

purl pkg:npm/handlebars@3.0.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nhz2-v28w-gye1

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-uv5v-22z9-fbfg

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@3.0.7

url pkg:npm/handlebars@4.0.14

purl pkg:npm/handlebars@4.0.14

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-25sr-kapq-dbea

vulnerability	VCID-nhz2-v28w-gye1

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-uv5v-22z9-fbfg

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.14

url pkg:npm/handlebars@4.1.2

purl pkg:npm/handlebars@4.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-25sr-kapq-dbea

vulnerability	VCID-nhz2-v28w-gye1

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-uv5v-22z9-fbfg

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.1.2

aliases GHSA-q42p-pg8m-cqh6, GMS-2019-126

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1td-t6kf-wfcm

url VCID-nhz2-v28w-gye1

vulnerability_id VCID-nhz2-v28w-gye1

summary

Prototype Pollution in handlebars
The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'.
Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0.

Versions Affected: 0.3.3.5-0.3.3.8
Not affected: < 0.3.3.5
Fixed Versions: None

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.
Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute
arbitrary code through crafted payloads.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-19919

reference_id

reference_type

scores

value	0.24752
scoring_system	epss
scoring_elements	0.96248
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-19919

reference_url

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919

reference_url

https://github.com/advisories/GHSA-w457-6q6x-cgp9

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-w457-6q6x-cgp9

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db

reference_url

https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js

reference_url

https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5

reference_url

https://github.com/wycats/handlebars.js

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js

reference_url

https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc

reference_url

https://github.com/wycats/handlebars.js/issues/1558

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js/issues/1558

reference_url	https://www.npmjs.com/advisories/1164
reference_id
reference_type
scores
url	https://www.npmjs.com/advisories/1164

reference_url

https://www.tenable.com/security/tns-2021-14

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.tenable.com/security/tns-2021-14

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1789959
reference_id	1789959
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1789959

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-19919

reference_id

CVE-2019-19919

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-19919

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml

reference_id

CVE-2019-19919.YML

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml

reference_url	https://access.redhat.com/errata/RHSA-2023:1334
reference_id	RHSA-2023:1334
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1334

fixed_packages

url pkg:npm/handlebars@3.0.8

purl pkg:npm/handlebars@3.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@3.0.8

url pkg:npm/handlebars@4.3.0

purl pkg:npm/handlebars@4.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-25sr-kapq-dbea

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-uv5v-22z9-fbfg

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.3.0

aliases CVE-2019-19919, GHSA-w457-6q6x-cgp9

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhz2-v28w-gye1

url VCID-q9rt-jtx1-hybx

vulnerability_id VCID-q9rt-jtx1-hybx

summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

references

reference_url

https://www.npmjs.com/advisories/1324

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/1324

reference_url	https://github.com/advisories/GHSA-q2c6-c6pm-g3gh
reference_id	GHSA-q2c6-c6pm-g3gh
reference_type
scores
url	https://github.com/advisories/GHSA-q2c6-c6pm-g3gh

fixed_packages

url pkg:npm/handlebars@3.0.8

purl pkg:npm/handlebars@3.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@3.0.8

url pkg:npm/handlebars@4.5.3

purl pkg:npm/handlebars@4.5.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3

aliases GHSA-q2c6-c6pm-g3gh, GMS-2020-730

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q9rt-jtx1-hybx

url VCID-r2g9-pje8-ykcb

vulnerability_id VCID-r2g9-pje8-ykcb

summary

Quoteless Attributes in Templates can lead to Content Injection
Not using quotes around your attributes in handlebar templates, could lead to content injection.

### Example
Template:
```<a href={{foo}}/>```

Input:
```{ 'foo' : 'test.com onload=alert(1)'}```

Rendered result:
```<a href=test.com onload=alert(1)/>```

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2015-8861

reference_id

reference_type

scores

value	0.00317
scoring_system	epss
scoring_elements	0.55055
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2015-8861

reference_url

https://blog.srcclr.com/handlebars_vulnerability_research_findings

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://blog.srcclr.com/handlebars_vulnerability_research_findings

reference_url

https://blog.srcclr.com/handlebars_vulnerability_research_findings/

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

url

https://blog.srcclr.com/handlebars_vulnerability_research_findings/

reference_url

https://github.com/wycats/handlebars.js

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js

reference_url

https://github.com/wycats/handlebars.js/pull/1083

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js/pull/1083

reference_url

https://www.npmjs.com/advisories/61

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/61

reference_url

https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings

reference_url	https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/
reference_id
reference_type
scores
url	https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/

reference_url

https://www.tenable.com/security/tns-2016-18

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.tenable.com/security/tns-2016-18

reference_url

http://www.openwall.com/lists/oss-security/2016/04/20/11

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2016/04/20/11

reference_url

http://www.securityfocus.com/bid/96434

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/96434

reference_url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/61.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

url

https://github.com/nodejs/security-wg/blob/main/vuln/npm/61.json

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2015-8861

reference_id

CVE-2015-8861

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2015-8861

reference_url

https://github.com/advisories/GHSA-9prh-257w-9277

reference_id

GHSA-9prh-257w-9277

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-9prh-257w-9277

fixed_packages

url pkg:npm/handlebars@4.0.0

purl pkg:npm/handlebars@4.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-25sr-kapq-dbea

vulnerability	VCID-7c3a-mqkm-3ycc

vulnerability	VCID-cfg5-1ju5-73b1

vulnerability	VCID-f1td-t6kf-wfcm

vulnerability	VCID-nhz2-v28w-gye1

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-uv5v-22z9-fbfg

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.0

aliases CVE-2015-8861, GHSA-9prh-257w-9277

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-r2g9-pje8-ykcb

url VCID-s9ab-ntdt-vkgd

vulnerability_id VCID-s9ab-ntdt-vkgd

summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

references

reference_url

https://www.npmjs.com/advisories/1325

reference_id

reference_type

scores

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/1325

reference_url	https://github.com/advisories/GHSA-g9r4-xpmj-mj65
reference_id	GHSA-g9r4-xpmj-mj65
reference_type
scores
url	https://github.com/advisories/GHSA-g9r4-xpmj-mj65

fixed_packages

url pkg:npm/handlebars@3.0.8

purl pkg:npm/handlebars@3.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@3.0.8

url pkg:npm/handlebars@4.5.3

purl pkg:npm/handlebars@4.5.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3

aliases GHSA-g9r4-xpmj-mj65, GMS-2020-729

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s9ab-ntdt-vkgd

url VCID-uv5v-22z9-fbfg

vulnerability_id VCID-uv5v-22z9-fbfg

summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

references

reference_url

https://www.npmjs.com/advisories/1316

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/advisories/1316

reference_url	https://github.com/advisories/GHSA-2cf5-4w76-r9qv
reference_id	GHSA-2cf5-4w76-r9qv
reference_type
scores
url	https://github.com/advisories/GHSA-2cf5-4w76-r9qv

fixed_packages

url pkg:npm/handlebars@3.0.8

purl pkg:npm/handlebars@3.0.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@3.0.8

url pkg:npm/handlebars@4.5.2

purl pkg:npm/handlebars@4.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-q9rt-jtx1-hybx

vulnerability	VCID-s9ab-ntdt-vkgd

vulnerability	VCID-xxez-8xav-cfdz

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.2

aliases GHSA-2cf5-4w76-r9qv, GMS-2020-727

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uv5v-22z9-fbfg

url VCID-xxez-8xav-cfdz

vulnerability_id VCID-xxez-8xav-cfdz

summary

Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when
selecting certain compiling options to compile templates coming from an untrusted source.
This vulnerability has been assigned the CVE identifier CVE-2021-23369.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23369

reference_id

reference_type

scores

value	0.03582
scoring_system	epss
scoring_elements	0.87954
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23369

reference_url

https://github.com/advisories/GHSA-f2jv-r9rf-7988

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements

url

https://github.com/advisories/GHSA-f2jv-r9rf-7988

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

reference_url

https://github.com/wycats/handlebars.js

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js

reference_url

https://security.netapp.com/advisory/ntap-20210604-0008

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210604-0008

reference_url	https://security.netapp.com/advisory/ntap-20210604-0008/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210604-0008/

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952

reference_url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1948761
reference_id	1948761
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1948761

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-23369

reference_id

CVE-2021-23369

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-23369

reference_url	https://access.redhat.com/errata/RHSA-2021:2500
reference_id	RHSA-2021:2500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2500

reference_url	https://access.redhat.com/errata/RHSA-2021:4032
reference_id	RHSA-2021:4032
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4032

reference_url	https://access.redhat.com/errata/RHSA-2021:4628
reference_id	RHSA-2021:4628
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4628

reference_url	https://access.redhat.com/errata/RHSA-2023:1334
reference_id	RHSA-2023:1334
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1334

fixed_packages

url	pkg:npm/handlebars@4.7.7
purl	pkg:npm/handlebars@4.7.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7

aliases CVE-2021-23369, GHSA-f2jv-r9rf-7988

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xxez-8xav-cfdz

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@2.0.0-alpha.4

Package Instance