Package Instance

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33916

reference_id

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33916

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id	1132141
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452509
reference_id	2452509
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452509

reference_url

reference_id

CVE-2021-23369

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

CVE-2021-23383

reference_type

scores

value	4.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-2qvq-rjwj-gvw9

reference_url

reference_id

GHSA-2qvq-rjwj-gvw9

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2qvq-rjwj-gvw9

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases CVE-2026-33916, GHSA-2qvq-rjwj-gvw9

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2r9d-e4z2-ckbh

url VCID-3ej8-4wrb-dqed

vulnerability_id VCID-3ej8-4wrb-dqed

summary

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23383

reference_id

reference_type

scores

value	0.05666
scoring_system	epss
scoring_elements	0.90541
published_at	2026-06-04T12:55:00Z

value	0.05666
scoring_system	epss
scoring_elements	0.90553
published_at	2026-06-07T12:55:00Z

value	0.05666
scoring_system	epss
scoring_elements	0.90555
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23383

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml

reference_url

https://security.netapp.com/advisory/ntap-20210618-0007

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210618-0007

reference_url	https://security.netapp.com/advisory/ntap-20210618-0007/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210618-0007/

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030

reference_url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029

reference_url

https://www.npmjs.com/package/handlebars

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.npmjs.com/package/handlebars

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1956688
reference_id	1956688
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1956688

reference_url

reference_id

CVE-2021-23383

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

GHSA-765h-qjxv-5f44

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json

reference_url	https://access.redhat.com/errata/RHSA-2021:2500
reference_id	RHSA-2021:2500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2500

reference_url	https://access.redhat.com/errata/RHSA-2021:4032
reference_id	RHSA-2021:4032
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4032

reference_url	https://access.redhat.com/errata/RHSA-2021:4628
reference_id	RHSA-2021:4628
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4628

reference_url	https://access.redhat.com/errata/RHSA-2023:1334
reference_id	RHSA-2023:1334
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1334

fixed_packages

url pkg:npm/handlebars@4.7.7

purl pkg:npm/handlebars@4.7.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2r9d-e4z2-ckbh

vulnerability	VCID-4e4r-qabs-cbg7

vulnerability	VCID-4sp5-ymgy-qfg4

vulnerability	VCID-81p2-vehj-hub1

vulnerability	VCID-bkew-8c9k-mbh2

vulnerability	VCID-cxf4-xmgb-aue5

vulnerability	VCID-rrb5-uk9f-zbc8

vulnerability	VCID-yv4k-1q7a-wqee

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7

aliases CVE-2021-23383, GHSA-765h-qjxv-5f44

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ej8-4wrb-dqed

url VCID-4e4r-qabs-cbg7

vulnerability_id VCID-4e4r-qabs-cbg7

summary handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw

references

reference_url

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33941

reference_id

reference_type

scores

value	9e-05
scoring_system	epss
scoring_elements	0.00934
published_at	2026-06-07T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00935
published_at	2026-06-05T12:55:00Z

value	9e-05
scoring_system	epss
scoring_elements	0.00933
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33941

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941

reference_url

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33941

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33941

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id	1132141
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452524
reference_id	2452524
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452524

reference_url

https://github.com/advisories/GHSA-xjpj-3mr7-gcpf

reference_id

GHSA-xjpj-3mr7-gcpf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xjpj-3mr7-gcpf

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases CVE-2026-33941, GHSA-xjpj-3mr7-gcpf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4e4r-qabs-cbg7

url VCID-4sp5-ymgy-qfg4

vulnerability_id VCID-4sp5-ymgy-qfg4

summary handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33937

reference_id

reference_type

scores

value	0.0024
scoring_system	epss
scoring_elements	0.47494
published_at	2026-06-07T12:55:00Z

value	0.0024
scoring_system	epss
scoring_elements	0.4751
published_at	2026-06-05T12:55:00Z

value	0.0024
scoring_system	epss
scoring_elements	0.47512
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33937

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33937

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33937

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id	1132141
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452523
reference_id	2452523
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452523

reference_url

https://github.com/advisories/GHSA-2w6w-674q-4c4q

reference_id

GHSA-2w6w-674q-4c4q

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-2w6w-674q-4c4q

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases CVE-2026-33937, GHSA-2w6w-674q-4c4q

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4sp5-ymgy-qfg4

url VCID-81p2-vehj-hub1

vulnerability_id VCID-81p2-vehj-hub1

summary handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33940

reference_id

reference_type

scores

value	0.00032
scoring_system	epss
scoring_elements	0.09835
published_at	2026-06-07T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09841
published_at	2026-06-05T12:55:00Z

value	0.00032
scoring_system	epss
scoring_elements	0.09861
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33940

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940

reference_url

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33940

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33940

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id	1132141
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452521
reference_id	2452521
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452521

reference_url

https://github.com/advisories/GHSA-xhpv-hc6g-r9c6

reference_id

GHSA-xhpv-hc6g-r9c6

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xhpv-hc6g-r9c6

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases CVE-2026-33940, GHSA-xhpv-hc6g-r9c6

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-81p2-vehj-hub1

url VCID-bkew-8c9k-mbh2

vulnerability_id VCID-bkew-8c9k-mbh2

summary handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33938

reference_id

reference_type

scores

value	0.00048
scoring_system	epss
scoring_elements	0.15189
published_at	2026-06-07T12:55:00Z

value	0.00048
scoring_system	epss
scoring_elements	0.15242
published_at	2026-06-05T12:55:00Z

value	0.00048
scoring_system	epss
scoring_elements	0.15232
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33938

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938

reference_url

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33938

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33938

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id	1132141
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452525
reference_id	2452525
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452525

reference_url

https://github.com/advisories/GHSA-3mfm-83xf-c92r

reference_id

GHSA-3mfm-83xf-c92r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3mfm-83xf-c92r

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases CVE-2026-33938, GHSA-3mfm-83xf-c92r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bkew-8c9k-mbh2

url VCID-cxf4-xmgb-aue5

vulnerability_id VCID-cxf4-xmgb-aue5

summary handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33939

reference_id

reference_type

scores

value	0.00076
scoring_system	epss
scoring_elements	0.22916
published_at	2026-06-07T12:55:00Z

value	0.00076
scoring_system	epss
scoring_elements	0.22975
published_at	2026-06-05T12:55:00Z

value	0.00076
scoring_system	epss
scoring_elements	0.2296
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33939

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33939

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33939

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
reference_id	1132141
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452508
reference_id	2452508
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452508

reference_url

https://github.com/advisories/GHSA-9cx6-37pm-9jff

reference_id

GHSA-9cx6-37pm-9jff

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9cx6-37pm-9jff

reference_url	https://access.redhat.com/errata/RHSA-2026:10175
reference_id	RHSA-2026:10175
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:10175

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases CVE-2026-33939, GHSA-9cx6-37pm-9jff

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cxf4-xmgb-aue5

url VCID-rrb5-uk9f-zbc8

vulnerability_id VCID-rrb5-uk9f-zbc8

summary

Handlebars.js has a Property Access Validation Bypass in container.lookup
## Summary

In `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform.

Only relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`.

## Description

The vulnerable code in `lib/handlebars/runtime.js` (lines 137–144):

```javascript
lookup: function (depths, name) {
  const len = depths.length;
  for (let i = 0; i < len; i++) {
    let result = depths[i] && container.lookupProperty(depths[i], name);
    if (result != null) {
      return depths[i][name];  // BUG: should be `return result;`
    }
  }
},
```

`container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned.

## Workarounds

- Avoid enabling `{ compat: true }` when rendering templates that include untrusted data.
- Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).

references

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

reference_url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2

reference_url

https://github.com/advisories/GHSA-442j-39wm-28r2

reference_id

GHSA-442j-39wm-28r2

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-442j-39wm-28r2

fixed_packages

url	pkg:npm/handlebars@4.7.9
purl	pkg:npm/handlebars@4.7.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9

aliases GHSA-442j-39wm-28r2

risk_score 1.6

exploitability 0.5

weighted_severity 3.3

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rrb5-uk9f-zbc8

url VCID-xxez-8xav-cfdz

vulnerability_id VCID-xxez-8xav-cfdz

summary

Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when
selecting certain compiling options to compile templates coming from an untrusted source.
This vulnerability has been assigned the CVE identifier CVE-2021-23369.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-23369

reference_id

reference_type

scores

value	0.03582
scoring_system	epss
scoring_elements	0.87954
published_at	2026-06-04T12:55:00Z

value	0.03582
scoring_system	epss
scoring_elements	0.87978
published_at	2026-06-07T12:55:00Z

value	0.03582
scoring_system	epss
scoring_elements	0.87975
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-23369

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369

reference_url

https://github.com/advisories/GHSA-f2jv-r9rf-7988

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f2jv-r9rf-7988

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8

reference_url

https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

reference_url

https://github.com/wycats/handlebars.js

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/wycats/handlebars.js

reference_url

https://security.netapp.com/advisory/ntap-20210604-0008

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210604-0008

reference_url	https://security.netapp.com/advisory/ntap-20210604-0008/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210604-0008/

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951

reference_url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952

reference_url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1948761
reference_id	1948761
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1948761

reference_url

reference_id

CVE-2021-23369

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

reference_url	https://access.redhat.com/errata/RHSA-2021:2500
reference_id	RHSA-2021:2500
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:2500

reference_url	https://access.redhat.com/errata/RHSA-2021:4032
reference_id	RHSA-2021:4032
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4032

reference_url	https://access.redhat.com/errata/RHSA-2021:4628
reference_id	RHSA-2021:4628
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4628

reference_url	https://access.redhat.com/errata/RHSA-2023:1334
reference_id	RHSA-2023:1334
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1334

fixed_packages

url pkg:npm/handlebars@4.7.7

purl pkg:npm/handlebars@4.7.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2r9d-e4z2-ckbh

vulnerability	VCID-4e4r-qabs-cbg7

vulnerability	VCID-4sp5-ymgy-qfg4

vulnerability	VCID-81p2-vehj-hub1

vulnerability	VCID-bkew-8c9k-mbh2

vulnerability	VCID-cxf4-xmgb-aue5

vulnerability	VCID-rrb5-uk9f-zbc8

vulnerability	VCID-yv4k-1q7a-wqee

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7

aliases CVE-2021-23369, GHSA-f2jv-r9rf-7988

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xxez-8xav-cfdz

url VCID-yv4k-1q7a-wqee

vulnerability_id VCID-yv4k-1q7a-wqee

summary

Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
## Summary

The prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set — in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.

`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.

## Description

In `lib/handlebars/internal/proto-access.js`:

```javascript
const methodWhiteList = Object.create(null);
methodWhiteList['constructor']      = false;
methodWhiteList['__defineGetter__'] = false;
methodWhiteList['__defineSetter__'] = false;
methodWhiteList['__lookupGetter__'] = false;
// __lookupSetter__ intentionally blocked in CVE-2021-23383,
// but omitted here — creating an asymmetric blocklist
```

All four legacy accessor helpers (`__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; `__lookupSetter__` was left out.

When `allowProtoMethodsByDefault: true` is set, any prototype method **not present** in `methodWhiteList` is permitted by default. Because `__lookupSetter__` is absent from the list, it passes the `checkWhiteList` check and is accessible in templates, while `__lookupGetter__` (its sibling) is correctly denied.

## Workarounds

- Do **not** set `allowProtoMethodsByDefault: true`. The default configuration is not affected.
- If `allowProtoMethodsByDefault` must be enabled, ensure templates do not reference  `__lookupSetter__` through untrusted input.

references

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

reference_url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh

reference_url

reference_id

GHSA-765h-qjxv-5f44

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url