Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/handlebars@4.0.6
Typenpm
Namespace
Namehandlebars
Version4.0.6
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.7.9
Latest_non_vulnerable_version4.7.9
Affected_by_vulnerabilities
0
url VCID-25sr-kapq-dbea
vulnerability_id VCID-25sr-kapq-dbea
summary 
Denial of Service in handlebars
Affected versions of `handlebars` are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.


## Recommendation

Upgrade to version 4.4.5 or later.
references
0
reference_url https://www.npmjs.com/advisories/1300
reference_id
reference_type
scores
0
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1300
1
reference_url https://github.com/advisories/GHSA-f52g-6jhx-586p
reference_id GHSA-f52g-6jhx-586p
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f52g-6jhx-586p
fixed_packages
0
url pkg:npm/handlebars@4.4.5
purl pkg:npm/handlebars@4.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-3ej8-4wrb-dqed
2
vulnerability VCID-4e4r-qabs-cbg7
3
vulnerability VCID-4sp5-ymgy-qfg4
4
vulnerability VCID-7c3a-mqkm-3ycc
5
vulnerability VCID-81p2-vehj-hub1
6
vulnerability VCID-bkew-8c9k-mbh2
7
vulnerability VCID-cxf4-xmgb-aue5
8
vulnerability VCID-q9rt-jtx1-hybx
9
vulnerability VCID-rrb5-uk9f-zbc8
10
vulnerability VCID-s9ab-ntdt-vkgd
11
vulnerability VCID-uv5v-22z9-fbfg
12
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.4.5
aliases GHSA-f52g-6jhx-586p, GMS-2020-728
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-25sr-kapq-dbea
1
url VCID-2r9d-e4z2-ckbh
vulnerability_id VCID-2r9d-e4z2-ckbh
summary handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33916
reference_id
reference_type
scores
0
value 0.00072
scoring_system epss
scoring_elements 0.22105
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33916
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
5
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
6
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33916
reference_id
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33916
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id 1132141
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452509
reference_id 2452509
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452509
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23369
reference_id CVE-2021-23369
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23369
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23383
reference_id CVE-2021-23383
reference_type
scores
0
value 4.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23383
12
reference_url https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
reference_id GHSA-2qvq-rjwj-gvw9
reference_type
scores
url https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases CVE-2026-33916, GHSA-2qvq-rjwj-gvw9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2r9d-e4z2-ckbh
2
url VCID-3ej8-4wrb-dqed
vulnerability_id VCID-3ej8-4wrb-dqed
summary 
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-23383
reference_id
reference_type
scores
0
value 0.05666
scoring_system epss
scoring_elements 0.90555
published_at 2026-06-05T12:55:00Z
1
value 0.05666
scoring_system epss
scoring_elements 0.90541
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-23383
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
6
reference_url https://security.netapp.com/advisory/ntap-20210618-0007
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210618-0007
7
reference_url https://security.netapp.com/advisory/ntap-20210618-0007/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210618-0007/
8
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
9
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
10
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
11
reference_url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
12
reference_url https://www.npmjs.com/package/handlebars
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/handlebars
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1956688
reference_id 1956688
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1956688
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23383
reference_id CVE-2021-23383
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23383
15
reference_url https://github.com/advisories/GHSA-765h-qjxv-5f44
reference_id GHSA-765h-qjxv-5f44
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-765h-qjxv-5f44
16
reference_url https://access.redhat.com/errata/RHSA-2021:2500
reference_id RHSA-2021:2500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2500
17
reference_url https://access.redhat.com/errata/RHSA-2021:4032
reference_id RHSA-2021:4032
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4032
18
reference_url https://access.redhat.com/errata/RHSA-2021:4628
reference_id RHSA-2021:4628
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4628
19
reference_url https://access.redhat.com/errata/RHSA-2023:1334
reference_id RHSA-2023:1334
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1334
fixed_packages
0
url pkg:npm/handlebars@4.7.7
purl pkg:npm/handlebars@4.7.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-4e4r-qabs-cbg7
2
vulnerability VCID-4sp5-ymgy-qfg4
3
vulnerability VCID-81p2-vehj-hub1
4
vulnerability VCID-bkew-8c9k-mbh2
5
vulnerability VCID-cxf4-xmgb-aue5
6
vulnerability VCID-rrb5-uk9f-zbc8
7
vulnerability VCID-yv4k-1q7a-wqee
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7
aliases CVE-2021-23383, GHSA-765h-qjxv-5f44
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ej8-4wrb-dqed
3
url VCID-4e4r-qabs-cbg7
vulnerability_id VCID-4e4r-qabs-cbg7
summary handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33941
reference_id
reference_type
scores
0
value 9e-05
scoring_system epss
scoring_elements 0.00935
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33941
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
5
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
6
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33941
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33941
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id 1132141
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452524
reference_id 2452524
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452524
10
reference_url https://github.com/advisories/GHSA-xjpj-3mr7-gcpf
reference_id GHSA-xjpj-3mr7-gcpf
reference_type
scores
url https://github.com/advisories/GHSA-xjpj-3mr7-gcpf
11
reference_url https://access.redhat.com/errata/RHSA-2026:10175
reference_id RHSA-2026:10175
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10175
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases CVE-2026-33941, GHSA-xjpj-3mr7-gcpf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4e4r-qabs-cbg7
4
url VCID-4sp5-ymgy-qfg4
vulnerability_id VCID-4sp5-ymgy-qfg4
summary handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33937
reference_id
reference_type
scores
0
value 0.0024
scoring_system epss
scoring_elements 0.4751
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33937
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
5
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
6
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33937
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33937
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id 1132141
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452523
reference_id 2452523
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452523
10
reference_url https://github.com/advisories/GHSA-2w6w-674q-4c4q
reference_id GHSA-2w6w-674q-4c4q
reference_type
scores
url https://github.com/advisories/GHSA-2w6w-674q-4c4q
11
reference_url https://access.redhat.com/errata/RHSA-2026:10175
reference_id RHSA-2026:10175
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10175
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases CVE-2026-33937, GHSA-2w6w-674q-4c4q
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4sp5-ymgy-qfg4
5
url VCID-7c3a-mqkm-3ycc
vulnerability_id VCID-7c3a-mqkm-3ycc
summary 
Improper Control of Generation of Code ('Code Injection')
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-20920
reference_id
reference_type
scores
0
value 0.00343
scoring_system epss
scoring_elements 0.57143
published_at 2026-06-04T12:55:00Z
1
value 0.00343
scoring_system epss
scoring_elements 0.57194
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-20920
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920
3
reference_url https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
5
reference_url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
6
reference_url https://www.npmjs.com/advisories/1316
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1316
7
reference_url https://www.npmjs.com/advisories/1324
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1324
8
reference_url https://www.npmjs.com/package/handlebars
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/handlebars
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1882260
reference_id 1882260
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1882260
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-20920
reference_id CVE-2019-20920
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-20920
11
reference_url https://github.com/advisories/GHSA-3cqr-58rm-57f8
reference_id GHSA-3cqr-58rm-57f8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3cqr-58rm-57f8
12
reference_url https://access.redhat.com/errata/RHSA-2020:5179
reference_id RHSA-2020:5179
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:5179
13
reference_url https://access.redhat.com/errata/RHSA-2021:2500
reference_id RHSA-2021:2500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2500
14
reference_url https://access.redhat.com/errata/RHSA-2021:3917
reference_id RHSA-2021:3917
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3917
15
reference_url https://access.redhat.com/errata/RHSA-2023:1334
reference_id RHSA-2023:1334
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1334
fixed_packages
0
url pkg:npm/handlebars@4.5.3
purl pkg:npm/handlebars@4.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-3ej8-4wrb-dqed
2
vulnerability VCID-4e4r-qabs-cbg7
3
vulnerability VCID-4sp5-ymgy-qfg4
4
vulnerability VCID-81p2-vehj-hub1
5
vulnerability VCID-bkew-8c9k-mbh2
6
vulnerability VCID-cxf4-xmgb-aue5
7
vulnerability VCID-rrb5-uk9f-zbc8
8
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3
aliases CVE-2019-20920, GHSA-3cqr-58rm-57f8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7c3a-mqkm-3ycc
6
url VCID-81p2-vehj-hub1
vulnerability_id VCID-81p2-vehj-hub1
summary handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33940
reference_id
reference_type
scores
0
value 0.00032
scoring_system epss
scoring_elements 0.09841
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33940
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
5
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
6
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33940
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33940
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id 1132141
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452521
reference_id 2452521
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452521
10
reference_url https://github.com/advisories/GHSA-xhpv-hc6g-r9c6
reference_id GHSA-xhpv-hc6g-r9c6
reference_type
scores
url https://github.com/advisories/GHSA-xhpv-hc6g-r9c6
11
reference_url https://access.redhat.com/errata/RHSA-2026:10175
reference_id RHSA-2026:10175
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10175
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases CVE-2026-33940, GHSA-xhpv-hc6g-r9c6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-81p2-vehj-hub1
7
url VCID-bkew-8c9k-mbh2
vulnerability_id VCID-bkew-8c9k-mbh2
summary handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33938
reference_id
reference_type
scores
0
value 0.00048
scoring_system epss
scoring_elements 0.15242
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33938
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
5
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
6
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33938
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33938
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id 1132141
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452525
reference_id 2452525
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452525
10
reference_url https://github.com/advisories/GHSA-3mfm-83xf-c92r
reference_id GHSA-3mfm-83xf-c92r
reference_type
scores
url https://github.com/advisories/GHSA-3mfm-83xf-c92r
11
reference_url https://access.redhat.com/errata/RHSA-2026:10175
reference_id RHSA-2026:10175
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10175
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases CVE-2026-33938, GHSA-3mfm-83xf-c92r
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bkew-8c9k-mbh2
8
url VCID-cfg5-1ju5-73b1
vulnerability_id VCID-cfg5-1ju5-73b1
summary 
Uncontrolled Resource Consumption
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-20922
reference_id
reference_type
scores
0
value 0.00291
scoring_system epss
scoring_elements 0.52798
published_at 2026-06-05T12:55:00Z
1
value 0.00291
scoring_system epss
scoring_elements 0.52739
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-20922
2
reference_url https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
3
reference_url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
4
reference_url https://www.npmjs.com/advisories/1300
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1300
5
reference_url https://www.npmjs.com/package/handlebars
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/package/handlebars
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1882256
reference_id 1882256
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1882256
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-20922
reference_id CVE-2019-20922
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-20922
8
reference_url https://github.com/advisories/GHSA-62gr-4qp9-h98f
reference_id GHSA-62gr-4qp9-h98f
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-62gr-4qp9-h98f
9
reference_url https://access.redhat.com/errata/RHSA-2020:5179
reference_id RHSA-2020:5179
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:5179
10
reference_url https://access.redhat.com/errata/RHSA-2021:2500
reference_id RHSA-2021:2500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2500
11
reference_url https://access.redhat.com/errata/RHSA-2021:3917
reference_id RHSA-2021:3917
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:3917
12
reference_url https://access.redhat.com/errata/RHSA-2023:1334
reference_id RHSA-2023:1334
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1334
fixed_packages
0
url pkg:npm/handlebars@4.4.5
purl pkg:npm/handlebars@4.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-3ej8-4wrb-dqed
2
vulnerability VCID-4e4r-qabs-cbg7
3
vulnerability VCID-4sp5-ymgy-qfg4
4
vulnerability VCID-7c3a-mqkm-3ycc
5
vulnerability VCID-81p2-vehj-hub1
6
vulnerability VCID-bkew-8c9k-mbh2
7
vulnerability VCID-cxf4-xmgb-aue5
8
vulnerability VCID-q9rt-jtx1-hybx
9
vulnerability VCID-rrb5-uk9f-zbc8
10
vulnerability VCID-s9ab-ntdt-vkgd
11
vulnerability VCID-uv5v-22z9-fbfg
12
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.4.5
aliases CVE-2019-20922, GHSA-62gr-4qp9-h98f
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cfg5-1ju5-73b1
9
url VCID-cxf4-xmgb-aue5
vulnerability_id VCID-cxf4-xmgb-aue5
summary handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33939
reference_id
reference_type
scores
0
value 0.00076
scoring_system epss
scoring_elements 0.22975
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33939
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939
3
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
5
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
6
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33939
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33939
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id 1132141
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452508
reference_id 2452508
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452508
10
reference_url https://github.com/advisories/GHSA-9cx6-37pm-9jff
reference_id GHSA-9cx6-37pm-9jff
reference_type
scores
url https://github.com/advisories/GHSA-9cx6-37pm-9jff
11
reference_url https://access.redhat.com/errata/RHSA-2026:10175
reference_id RHSA-2026:10175
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:10175
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases CVE-2026-33939, GHSA-9cx6-37pm-9jff
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cxf4-xmgb-aue5
10
url VCID-f1td-t6kf-wfcm
vulnerability_id VCID-f1td-t6kf-wfcm
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
references
0
reference_url https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac
1
reference_url https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
2
reference_url https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4
3
reference_url https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e
4
reference_url https://github.com/handlebars-lang/handlebars.js/issues/1495
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/issues/1495
5
reference_url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
6
reference_url https://www.npmjs.com/advisories/755
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/755
7
reference_url https://github.com/advisories/GHSA-q42p-pg8m-cqh6
reference_id GHSA-q42p-pg8m-cqh6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q42p-pg8m-cqh6
fixed_packages
0
url pkg:npm/handlebars@4.0.14
purl pkg:npm/handlebars@4.0.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25sr-kapq-dbea
1
vulnerability VCID-2r9d-e4z2-ckbh
2
vulnerability VCID-3ej8-4wrb-dqed
3
vulnerability VCID-4e4r-qabs-cbg7
4
vulnerability VCID-4sp5-ymgy-qfg4
5
vulnerability VCID-7c3a-mqkm-3ycc
6
vulnerability VCID-81p2-vehj-hub1
7
vulnerability VCID-bkew-8c9k-mbh2
8
vulnerability VCID-cfg5-1ju5-73b1
9
vulnerability VCID-cxf4-xmgb-aue5
10
vulnerability VCID-nhz2-v28w-gye1
11
vulnerability VCID-q9rt-jtx1-hybx
12
vulnerability VCID-rrb5-uk9f-zbc8
13
vulnerability VCID-s9ab-ntdt-vkgd
14
vulnerability VCID-uv5v-22z9-fbfg
15
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.14
1
url pkg:npm/handlebars@4.1.2
purl pkg:npm/handlebars@4.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25sr-kapq-dbea
1
vulnerability VCID-2r9d-e4z2-ckbh
2
vulnerability VCID-3ej8-4wrb-dqed
3
vulnerability VCID-4e4r-qabs-cbg7
4
vulnerability VCID-4sp5-ymgy-qfg4
5
vulnerability VCID-7c3a-mqkm-3ycc
6
vulnerability VCID-81p2-vehj-hub1
7
vulnerability VCID-bkew-8c9k-mbh2
8
vulnerability VCID-cfg5-1ju5-73b1
9
vulnerability VCID-cxf4-xmgb-aue5
10
vulnerability VCID-nhz2-v28w-gye1
11
vulnerability VCID-q9rt-jtx1-hybx
12
vulnerability VCID-rrb5-uk9f-zbc8
13
vulnerability VCID-s9ab-ntdt-vkgd
14
vulnerability VCID-uv5v-22z9-fbfg
15
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.1.2
aliases GHSA-q42p-pg8m-cqh6, GMS-2019-126
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f1td-t6kf-wfcm
11
url VCID-nhz2-v28w-gye1
vulnerability_id VCID-nhz2-v28w-gye1
summary 
Prototype Pollution in handlebars
The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'.
Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0.

Versions Affected: 0.3.3.5-0.3.3.8
Not affected: < 0.3.3.5
Fixed Versions: None

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.
Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute
arbitrary code through crafted payloads.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-19919
reference_id
reference_type
scores
0
value 0.24752
scoring_system epss
scoring_elements 0.96254
published_at 2026-06-05T12:55:00Z
1
value 0.24752
scoring_system epss
scoring_elements 0.96248
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-19919
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
3
reference_url https://github.com/advisories/GHSA-w457-6q6x-cgp9
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w457-6q6x-cgp9
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
5
reference_url https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
6
reference_url https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
7
reference_url https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
8
reference_url https://github.com/wycats/handlebars.js
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/wycats/handlebars.js
9
reference_url https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
10
reference_url https://github.com/wycats/handlebars.js/issues/1558
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/wycats/handlebars.js/issues/1558
11
reference_url https://www.npmjs.com/advisories/1164
reference_id
reference_type
scores
url https://www.npmjs.com/advisories/1164
12
reference_url https://www.tenable.com/security/tns-2021-14
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://www.tenable.com/security/tns-2021-14
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1789959
reference_id 1789959
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1789959
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-19919
reference_id CVE-2019-19919
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-19919
15
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
reference_id CVE-2019-19919.YML
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
16
reference_url https://access.redhat.com/errata/RHSA-2023:1334
reference_id RHSA-2023:1334
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1334
fixed_packages
0
url pkg:npm/handlebars@4.3.0
purl pkg:npm/handlebars@4.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-25sr-kapq-dbea
1
vulnerability VCID-2r9d-e4z2-ckbh
2
vulnerability VCID-3ej8-4wrb-dqed
3
vulnerability VCID-4e4r-qabs-cbg7
4
vulnerability VCID-4sp5-ymgy-qfg4
5
vulnerability VCID-7c3a-mqkm-3ycc
6
vulnerability VCID-81p2-vehj-hub1
7
vulnerability VCID-bkew-8c9k-mbh2
8
vulnerability VCID-cfg5-1ju5-73b1
9
vulnerability VCID-cxf4-xmgb-aue5
10
vulnerability VCID-q9rt-jtx1-hybx
11
vulnerability VCID-rrb5-uk9f-zbc8
12
vulnerability VCID-s9ab-ntdt-vkgd
13
vulnerability VCID-uv5v-22z9-fbfg
14
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.3.0
aliases CVE-2019-19919, GHSA-w457-6q6x-cgp9
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhz2-v28w-gye1
12
url VCID-q9rt-jtx1-hybx
vulnerability_id VCID-q9rt-jtx1-hybx
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
references
0
reference_url https://www.npmjs.com/advisories/1324
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1324
1
reference_url https://github.com/advisories/GHSA-q2c6-c6pm-g3gh
reference_id GHSA-q2c6-c6pm-g3gh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q2c6-c6pm-g3gh
fixed_packages
0
url pkg:npm/handlebars@4.5.3
purl pkg:npm/handlebars@4.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-3ej8-4wrb-dqed
2
vulnerability VCID-4e4r-qabs-cbg7
3
vulnerability VCID-4sp5-ymgy-qfg4
4
vulnerability VCID-81p2-vehj-hub1
5
vulnerability VCID-bkew-8c9k-mbh2
6
vulnerability VCID-cxf4-xmgb-aue5
7
vulnerability VCID-rrb5-uk9f-zbc8
8
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3
aliases GHSA-q2c6-c6pm-g3gh, GMS-2020-730
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q9rt-jtx1-hybx
13
url VCID-rrb5-uk9f-zbc8
vulnerability_id VCID-rrb5-uk9f-zbc8
summary 
Handlebars.js has a Property Access Validation Bypass in container.lookup
## Summary

In `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform.

Only relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`.

## Description

The vulnerable code in `lib/handlebars/runtime.js` (lines 137–144):

```javascript
lookup: function (depths, name) {
  const len = depths.length;
  for (let i = 0; i < len; i++) {
    let result = depths[i] && container.lookupProperty(depths[i], name);
    if (result != null) {
      return depths[i][name];  // BUG: should be `return result;`
    }
  }
},
```

`container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned.

## Workarounds

- Avoid enabling `{ compat: true }` when rendering templates that include untrusted data.
- Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).
references
0
reference_url https://github.com/handlebars-lang/handlebars.js
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js
1
reference_url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
2
reference_url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
3
reference_url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2
4
reference_url https://github.com/advisories/GHSA-442j-39wm-28r2
reference_id GHSA-442j-39wm-28r2
reference_type
scores
url https://github.com/advisories/GHSA-442j-39wm-28r2
fixed_packages
0
url pkg:npm/handlebars@4.7.9
purl pkg:npm/handlebars@4.7.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9
aliases GHSA-442j-39wm-28r2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rrb5-uk9f-zbc8
14
url VCID-s9ab-ntdt-vkgd
vulnerability_id VCID-s9ab-ntdt-vkgd
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
references
0
reference_url https://www.npmjs.com/advisories/1325
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1325
1
reference_url https://github.com/advisories/GHSA-g9r4-xpmj-mj65
reference_id GHSA-g9r4-xpmj-mj65
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g9r4-xpmj-mj65
fixed_packages
0
url pkg:npm/handlebars@4.5.3
purl pkg:npm/handlebars@4.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-3ej8-4wrb-dqed
2
vulnerability VCID-4e4r-qabs-cbg7
3
vulnerability VCID-4sp5-ymgy-qfg4
4
vulnerability VCID-81p2-vehj-hub1
5
vulnerability VCID-bkew-8c9k-mbh2
6
vulnerability VCID-cxf4-xmgb-aue5
7
vulnerability VCID-rrb5-uk9f-zbc8
8
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3
aliases GHSA-g9r4-xpmj-mj65, GMS-2020-729
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s9ab-ntdt-vkgd
15
url VCID-uv5v-22z9-fbfg
vulnerability_id VCID-uv5v-22z9-fbfg
summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
references
0
reference_url https://www.npmjs.com/advisories/1316
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/1316
1
reference_url https://github.com/advisories/GHSA-2cf5-4w76-r9qv
reference_id GHSA-2cf5-4w76-r9qv
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2cf5-4w76-r9qv
fixed_packages
0
url pkg:npm/handlebars@4.5.2
purl pkg:npm/handlebars@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-3ej8-4wrb-dqed
2
vulnerability VCID-4e4r-qabs-cbg7
3
vulnerability VCID-4sp5-ymgy-qfg4
4
vulnerability VCID-7c3a-mqkm-3ycc
5
vulnerability VCID-81p2-vehj-hub1
6
vulnerability VCID-bkew-8c9k-mbh2
7
vulnerability VCID-cxf4-xmgb-aue5
8
vulnerability VCID-q9rt-jtx1-hybx
9
vulnerability VCID-rrb5-uk9f-zbc8
10
vulnerability VCID-s9ab-ntdt-vkgd
11
vulnerability VCID-xxez-8xav-cfdz
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.2
aliases GHSA-2cf5-4w76-r9qv, GMS-2020-727
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uv5v-22z9-fbfg
16
url VCID-xxez-8xav-cfdz
vulnerability_id VCID-xxez-8xav-cfdz
summary 
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when
selecting certain compiling options to compile templates coming from an untrusted source.
This vulnerability has been assigned the CVE identifier CVE-2021-23369.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-23369
reference_id
reference_type
scores
0
value 0.03582
scoring_system epss
scoring_elements 0.87954
published_at 2026-06-04T12:55:00Z
1
value 0.03582
scoring_system epss
scoring_elements 0.87975
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-23369
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
3
reference_url https://github.com/advisories/GHSA-f2jv-r9rf-7988
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3
scoring_elements
url https://github.com/advisories/GHSA-f2jv-r9rf-7988
4
reference_url https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
5
reference_url https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
6
reference_url https://github.com/wycats/handlebars.js
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/wycats/handlebars.js
7
reference_url https://security.netapp.com/advisory/ntap-20210604-0008
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20210604-0008
8
reference_url https://security.netapp.com/advisory/ntap-20210604-0008/
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20210604-0008/
9
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
10
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
11
reference_url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
12
reference_url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1948761
reference_id 1948761
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1948761
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-23369
reference_id CVE-2021-23369
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-23369
15
reference_url https://access.redhat.com/errata/RHSA-2021:2500
reference_id RHSA-2021:2500
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:2500
16
reference_url https://access.redhat.com/errata/RHSA-2021:4032
reference_id RHSA-2021:4032
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4032
17
reference_url https://access.redhat.com/errata/RHSA-2021:4628
reference_id RHSA-2021:4628
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:4628
18
reference_url https://access.redhat.com/errata/RHSA-2023:1334
reference_id RHSA-2023:1334
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1334
fixed_packages
0
url pkg:npm/handlebars@4.7.7
purl pkg:npm/handlebars@4.7.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2r9d-e4z2-ckbh
1
vulnerability VCID-4e4r-qabs-cbg7
2
vulnerability VCID-4sp5-ymgy-qfg4
3
vulnerability VCID-81p2-vehj-hub1
4
vulnerability VCID-bkew-8c9k-mbh2
5
vulnerability VCID-cxf4-xmgb-aue5
6
vulnerability VCID-rrb5-uk9f-zbc8
7
vulnerability VCID-yv4k-1q7a-wqee
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7
aliases CVE-2021-23369, GHSA-f2jv-r9rf-7988
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xxez-8xav-cfdz
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.6