Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/236282?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/236282?format=api", "purl": "pkg:npm/handlebars@4.0.6", "type": "npm", "namespace": "", "name": "handlebars", "version": "4.0.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.7.9", "latest_non_vulnerable_version": "4.7.9", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53220?format=api", "vulnerability_id": "VCID-25sr-kapq-dbea", "summary": "Denial of Service in handlebars\nAffected versions of `handlebars` are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 4.4.5 or later.", "references": [ { "reference_url": "https://www.npmjs.com/advisories/1300", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1300" }, { "reference_url": "https://github.com/advisories/GHSA-f52g-6jhx-586p", "reference_id": "GHSA-f52g-6jhx-586p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f52g-6jhx-586p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60585?format=api", "purl": "pkg:npm/handlebars@4.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-7c3a-mqkm-3ycc" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-q9rt-jtx1-hybx" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-s9ab-ntdt-vkgd" }, { "vulnerability": "VCID-uv5v-22z9-fbfg" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.4.5" } ], "aliases": [ "GHSA-f52g-6jhx-586p", "GMS-2020-728" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-25sr-kapq-dbea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64121?format=api", "vulnerability_id": "VCID-2r9d-e4z2-ckbh", "summary": "handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33916", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00072", "scoring_system": "epss", "scoring_elements": "0.22105", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33916" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141", "reference_id": "1132141", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452509", "reference_id": "2452509", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452509" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", "reference_id": "CVE-2021-23369", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", "reference_id": "CVE-2021-23383", "reference_type": "", "scores": [ { "value": "4.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" }, { "reference_url": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9", "reference_id": "GHSA-2qvq-rjwj-gvw9", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "CVE-2026-33916", "GHSA-2qvq-rjwj-gvw9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2r9d-e4z2-ckbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42343?format=api", "vulnerability_id": "VCID-3ej8-4wrb-dqed", "summary": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nThe package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23383", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05666", "scoring_system": "epss", "scoring_elements": "0.90555", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.05666", "scoring_system": "epss", "scoring_elements": "0.90541", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23383" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210618-0007", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20210618-0007" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210618-0007/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20210618-0007/" }, { "reference_url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031" }, { "reference_url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032" }, { "reference_url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029" }, { "reference_url": "https://www.npmjs.com/package/handlebars", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/handlebars" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688", "reference_id": "1956688", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1956688" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", "reference_id": "CVE-2021-23383", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" }, { "reference_url": "https://github.com/advisories/GHSA-765h-qjxv-5f44", "reference_id": "GHSA-765h-qjxv-5f44", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-765h-qjxv-5f44" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2500", "reference_id": "RHSA-2021:2500", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2500" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4032", "reference_id": "RHSA-2021:4032", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4032" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4628", "reference_id": "RHSA-2021:4628", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4628" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1334", "reference_id": "RHSA-2023:1334", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60541?format=api", "purl": "pkg:npm/handlebars@4.7.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-yv4k-1q7a-wqee" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7" } ], "aliases": [ "CVE-2021-23383", "GHSA-765h-qjxv-5f44" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3ej8-4wrb-dqed" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64115?format=api", "vulnerability_id": "VCID-4e4r-qabs-cbg7", "summary": "handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33941", "reference_id": "", "reference_type": "", "scores": [ { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00935", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33941" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33941", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33941" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141", "reference_id": "1132141", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452524", "reference_id": "2452524", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452524" }, { "reference_url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf", "reference_id": "GHSA-xjpj-3mr7-gcpf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10175", "reference_id": "RHSA-2026:10175", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10175" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "CVE-2026-33941", "GHSA-xjpj-3mr7-gcpf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4e4r-qabs-cbg7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64120?format=api", "vulnerability_id": "VCID-4sp5-ymgy-qfg4", "summary": "handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33937", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0024", "scoring_system": "epss", "scoring_elements": "0.4751", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33937" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141", "reference_id": "1132141", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452523", "reference_id": "2452523", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452523" }, { "reference_url": "https://github.com/advisories/GHSA-2w6w-674q-4c4q", "reference_id": "GHSA-2w6w-674q-4c4q", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2w6w-674q-4c4q" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10175", "reference_id": "RHSA-2026:10175", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10175" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "CVE-2026-33937", "GHSA-2w6w-674q-4c4q" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4sp5-ymgy-qfg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42369?format=api", "vulnerability_id": "VCID-7c3a-mqkm-3ycc", "summary": "Improper Control of Generation of Code ('Code Injection')\nHandlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20920", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.57143", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00343", "scoring_system": "epss", "scoring_elements": "0.57194", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20920" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" }, { "reference_url": "https://www.npmjs.com/advisories/1316", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1316" }, { "reference_url": "https://www.npmjs.com/advisories/1324", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1324" }, { "reference_url": "https://www.npmjs.com/package/handlebars", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/handlebars" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260", "reference_id": "1882260", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882260" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", "reference_id": "CVE-2019-20920", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" }, { "reference_url": "https://github.com/advisories/GHSA-3cqr-58rm-57f8", "reference_id": "GHSA-3cqr-58rm-57f8", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3cqr-58rm-57f8" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:5179", "reference_id": "RHSA-2020:5179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:5179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2500", "reference_id": "RHSA-2021:2500", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2500" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3917", "reference_id": "RHSA-2021:3917", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1334", "reference_id": "RHSA-2023:1334", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60597?format=api", "purl": "pkg:npm/handlebars@4.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3" } ], "aliases": [ "CVE-2019-20920", "GHSA-3cqr-58rm-57f8" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7c3a-mqkm-3ycc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64116?format=api", "vulnerability_id": "VCID-81p2-vehj-hub1", "summary": "handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33940", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00032", "scoring_system": "epss", "scoring_elements": "0.09841", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33940" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33940", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33940" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141", "reference_id": "1132141", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452521", "reference_id": "2452521", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452521" }, { "reference_url": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6", "reference_id": "GHSA-xhpv-hc6g-r9c6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10175", "reference_id": "RHSA-2026:10175", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10175" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "CVE-2026-33940", "GHSA-xhpv-hc6g-r9c6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-81p2-vehj-hub1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64119?format=api", "vulnerability_id": "VCID-bkew-8c9k-mbh2", "summary": "handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33938", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00048", "scoring_system": "epss", "scoring_elements": "0.15242", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33938" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33938", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33938" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141", "reference_id": "1132141", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452525", "reference_id": "2452525", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452525" }, { "reference_url": "https://github.com/advisories/GHSA-3mfm-83xf-c92r", "reference_id": "GHSA-3mfm-83xf-c92r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3mfm-83xf-c92r" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10175", "reference_id": "RHSA-2026:10175", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10175" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "CVE-2026-33938", "GHSA-3mfm-83xf-c92r" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bkew-8c9k-mbh2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42364?format=api", "vulnerability_id": "VCID-cfg5-1ju5-73b1", "summary": "Uncontrolled Resource Consumption\nHandlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20922", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00291", "scoring_system": "epss", "scoring_elements": "0.52798", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00291", "scoring_system": "epss", "scoring_elements": "0.52739", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-20922" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388" }, { "reference_url": "https://www.npmjs.com/advisories/1300", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1300" }, { "reference_url": "https://www.npmjs.com/package/handlebars", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/handlebars" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256", "reference_id": "1882256", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1882256" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", "reference_id": "CVE-2019-20922", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" }, { "reference_url": "https://github.com/advisories/GHSA-62gr-4qp9-h98f", "reference_id": "GHSA-62gr-4qp9-h98f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-62gr-4qp9-h98f" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2020:5179", "reference_id": "RHSA-2020:5179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2020:5179" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2500", "reference_id": "RHSA-2021:2500", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2500" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3917", "reference_id": "RHSA-2021:3917", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3917" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1334", "reference_id": "RHSA-2023:1334", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60585?format=api", "purl": "pkg:npm/handlebars@4.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-7c3a-mqkm-3ycc" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-q9rt-jtx1-hybx" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-s9ab-ntdt-vkgd" }, { "vulnerability": "VCID-uv5v-22z9-fbfg" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.4.5" } ], "aliases": [ "CVE-2019-20922", "GHSA-62gr-4qp9-h98f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cfg5-1ju5-73b1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64118?format=api", "vulnerability_id": "VCID-cxf4-xmgb-aue5", "summary": "handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33939", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00076", "scoring_system": "epss", "scoring_elements": "0.22975", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-33939" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33939", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33939" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141", "reference_id": "1132141", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452508", "reference_id": "2452508", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452508" }, { "reference_url": "https://github.com/advisories/GHSA-9cx6-37pm-9jff", "reference_id": "GHSA-9cx6-37pm-9jff", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-9cx6-37pm-9jff" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10175", "reference_id": "RHSA-2026:10175", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10175" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "CVE-2026-33939", "GHSA-9cx6-37pm-9jff" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cxf4-xmgb-aue5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41047?format=api", "vulnerability_id": "VCID-f1td-t6kf-wfcm", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.", "references": [ { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/issues/1495", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/issues/1495" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692" }, { "reference_url": "https://www.npmjs.com/advisories/755", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/755" }, { "reference_url": "https://github.com/advisories/GHSA-q42p-pg8m-cqh6", "reference_id": "GHSA-q42p-pg8m-cqh6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q42p-pg8m-cqh6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58155?format=api", "purl": "pkg:npm/handlebars@4.0.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25sr-kapq-dbea" }, { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-7c3a-mqkm-3ycc" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cfg5-1ju5-73b1" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-nhz2-v28w-gye1" }, { "vulnerability": "VCID-q9rt-jtx1-hybx" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-s9ab-ntdt-vkgd" }, { "vulnerability": "VCID-uv5v-22z9-fbfg" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/58156?format=api", "purl": "pkg:npm/handlebars@4.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25sr-kapq-dbea" }, { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-7c3a-mqkm-3ycc" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cfg5-1ju5-73b1" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-nhz2-v28w-gye1" }, { "vulnerability": "VCID-q9rt-jtx1-hybx" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-s9ab-ntdt-vkgd" }, { "vulnerability": "VCID-uv5v-22z9-fbfg" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.1.2" } ], "aliases": [ "GHSA-q42p-pg8m-cqh6", "GMS-2019-126" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f1td-t6kf-wfcm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51602?format=api", "vulnerability_id": "VCID-nhz2-v28w-gye1", "summary": "Prototype Pollution in handlebars\nThe bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'.\nVersions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0.\n\nVersions Affected: 0.3.3.5-0.3.3.8\nNot affected: < 0.3.3.5\nFixed Versions: None\n\nVersions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.\nTemplates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute\narbitrary code through crafted payloads.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19919", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.24752", "scoring_system": "epss", "scoring_elements": "0.96254", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.24752", "scoring_system": "epss", "scoring_elements": "0.96248", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-19919" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919" }, { "reference_url": "https://github.com/advisories/GHSA-w457-6q6x-cgp9", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w457-6q6x-cgp9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db" }, { "reference_url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js" }, { "reference_url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5" }, { "reference_url": "https://github.com/wycats/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wycats/handlebars.js" }, { "reference_url": "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc" }, { "reference_url": "https://github.com/wycats/handlebars.js/issues/1558", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wycats/handlebars.js/issues/1558" }, { "reference_url": "https://www.npmjs.com/advisories/1164", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.npmjs.com/advisories/1164" }, { "reference_url": "https://www.tenable.com/security/tns-2021-14", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.tenable.com/security/tns-2021-14" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789959", "reference_id": "1789959", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789959" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919", "reference_id": "CVE-2019-19919", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml", "reference_id": "CVE-2019-19919.YML", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1334", "reference_id": "RHSA-2023:1334", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76410?format=api", "purl": "pkg:npm/handlebars@4.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-25sr-kapq-dbea" }, { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-7c3a-mqkm-3ycc" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cfg5-1ju5-73b1" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-q9rt-jtx1-hybx" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-s9ab-ntdt-vkgd" }, { "vulnerability": "VCID-uv5v-22z9-fbfg" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.3.0" } ], "aliases": [ "CVE-2019-19919", "GHSA-w457-6q6x-cgp9" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nhz2-v28w-gye1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53518?format=api", "vulnerability_id": "VCID-q9rt-jtx1-hybx", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.", "references": [ { "reference_url": "https://www.npmjs.com/advisories/1324", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1324" }, { "reference_url": "https://github.com/advisories/GHSA-q2c6-c6pm-g3gh", "reference_id": "GHSA-q2c6-c6pm-g3gh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q2c6-c6pm-g3gh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60597?format=api", "purl": "pkg:npm/handlebars@4.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3" } ], "aliases": [ "GHSA-q2c6-c6pm-g3gh", "GMS-2020-730" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q9rt-jtx1-hybx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/91102?format=api", "vulnerability_id": "VCID-rrb5-uk9f-zbc8", "summary": "Handlebars.js has a Property Access Validation Bypass in container.lookup\n## Summary\n\nIn `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform.\n\nOnly relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`.\n\n## Description\n\nThe vulnerable code in `lib/handlebars/runtime.js` (lines 137–144):\n\n```javascript\nlookup: function (depths, name) {\n const len = depths.length;\n for (let i = 0; i < len; i++) {\n let result = depths[i] && container.lookupProperty(depths[i], name);\n if (result != null) {\n return depths[i][name]; // BUG: should be `return result;`\n }\n }\n},\n```\n\n`container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned.\n\n## Workarounds\n\n- Avoid enabling `{ compat: true }` when rendering templates that include untrusted data.\n- Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).", "references": [ { "reference_url": "https://github.com/handlebars-lang/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2" }, { "reference_url": "https://github.com/advisories/GHSA-442j-39wm-28r2", "reference_id": "GHSA-442j-39wm-28r2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-442j-39wm-28r2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/112601?format=api", "purl": "pkg:npm/handlebars@4.7.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9" } ], "aliases": [ "GHSA-442j-39wm-28r2" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rrb5-uk9f-zbc8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53462?format=api", "vulnerability_id": "VCID-s9ab-ntdt-vkgd", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.", "references": [ { "reference_url": "https://www.npmjs.com/advisories/1325", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1325" }, { "reference_url": "https://github.com/advisories/GHSA-g9r4-xpmj-mj65", "reference_id": "GHSA-g9r4-xpmj-mj65", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g9r4-xpmj-mj65" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60597?format=api", "purl": "pkg:npm/handlebars@4.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3" } ], "aliases": [ "GHSA-g9r4-xpmj-mj65", "GMS-2020-729" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s9ab-ntdt-vkgd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/53543?format=api", "vulnerability_id": "VCID-uv5v-22z9-fbfg", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.", "references": [ { "reference_url": "https://www.npmjs.com/advisories/1316", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1316" }, { "reference_url": "https://github.com/advisories/GHSA-2cf5-4w76-r9qv", "reference_id": "GHSA-2cf5-4w76-r9qv", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2cf5-4w76-r9qv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78597?format=api", "purl": "pkg:npm/handlebars@4.5.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-3ej8-4wrb-dqed" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-7c3a-mqkm-3ycc" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-q9rt-jtx1-hybx" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-s9ab-ntdt-vkgd" }, { "vulnerability": "VCID-xxez-8xav-cfdz" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.2" } ], "aliases": [ "GHSA-2cf5-4w76-r9qv", "GMS-2020-727" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uv5v-22z9-fbfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51487?format=api", "vulnerability_id": "VCID-xxez-8xav-cfdz", "summary": "Remote code execution in handlebars when compiling templates\nThe package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when\nselecting certain compiling options to compile templates coming from an untrusted source.\nThis vulnerability has been assigned the CVE identifier CVE-2021-23369.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23369", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03582", "scoring_system": "epss", "scoring_elements": "0.87954", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03582", "scoring_system": "epss", "scoring_elements": "0.87975", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-23369" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369" }, { "reference_url": "https://github.com/advisories/GHSA-f2jv-r9rf-7988", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f2jv-r9rf-7988" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8" }, { "reference_url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" }, { "reference_url": "https://github.com/wycats/handlebars.js", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/wycats/handlebars.js" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210604-0008", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20210604-0008" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20210604-0008/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.netapp.com/advisory/ntap-20210604-0008/" }, { "reference_url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950" }, { "reference_url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951" }, { "reference_url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952" }, { "reference_url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761", "reference_id": "1948761", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948761" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", "reference_id": "CVE-2021-23369", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:2500", "reference_id": "RHSA-2021:2500", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:2500" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4032", "reference_id": "RHSA-2021:4032", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4032" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:4628", "reference_id": "RHSA-2021:4628", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:4628" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1334", "reference_id": "RHSA-2023:1334", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1334" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60541?format=api", "purl": "pkg:npm/handlebars@4.7.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2r9d-e4z2-ckbh" }, { "vulnerability": "VCID-4e4r-qabs-cbg7" }, { "vulnerability": "VCID-4sp5-ymgy-qfg4" }, { "vulnerability": "VCID-81p2-vehj-hub1" }, { "vulnerability": "VCID-bkew-8c9k-mbh2" }, { "vulnerability": "VCID-cxf4-xmgb-aue5" }, { "vulnerability": "VCID-rrb5-uk9f-zbc8" }, { "vulnerability": "VCID-yv4k-1q7a-wqee" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7" } ], "aliases": [ "CVE-2021-23369", "GHSA-f2jv-r9rf-7988" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xxez-8xav-cfdz" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.0.6" }