VulnerableCode Package Details - pkg:npm/handlebars@3.0.8

Search for packages

Vulnerability	Summary	Fixed by
VCID-xxez-8xav-cfdz Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988	Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369.	4.7.7 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-xxez-8xav-cfdz
Aliases:
CVE-2021-23369
GHSA-f2jv-r9rf-7988

Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369.

4.7.7
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7c3a-mqkm-3ycc	Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).	CVE-2019-20920 GHSA-3cqr-58rm-57f8
VCID-nhz2-v28w-gye1	Prototype Pollution in handlebars The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: < 0.3.3.5 Fixed Versions: None Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.	CVE-2019-19919 GHSA-w457-6q6x-cgp9
VCID-q9rt-jtx1-hybx	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	GHSA-q2c6-c6pm-g3gh GMS-2020-730
VCID-s9ab-ntdt-vkgd	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	GHSA-g9r4-xpmj-mj65 GMS-2020-729
VCID-uv5v-22z9-fbfg	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	GHSA-2cf5-4w76-r9qv GMS-2020-727

Vulnerability

Summary

Aliases

VCID-7c3a-mqkm-3ycc

Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

CVE-2019-20920
GHSA-3cqr-58rm-57f8

VCID-nhz2-v28w-gye1

Prototype Pollution in handlebars The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: < 0.3.3.5 Fixed Versions: None Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

CVE-2019-19919
GHSA-w457-6q6x-cgp9

VCID-q9rt-jtx1-hybx

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

GHSA-q2c6-c6pm-g3gh
GMS-2020-730

VCID-s9ab-ntdt-vkgd

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

GHSA-g9r4-xpmj-mj65
GMS-2020-729

VCID-uv5v-22z9-fbfg

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.

GHSA-2cf5-4w76-r9qv
GMS-2020-727

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:50:30.650328+00:00	GitLab Importer	Affected by	VCID-xxez-8xav-cfdz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2021-23369.yml	38.6.0
2026-06-04T17:50:00.331382+00:00	GithubOSV Importer	Fixing	VCID-7c3a-mqkm-3ycc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-3cqr-58rm-57f8/GHSA-3cqr-58rm-57f8.json	38.6.0
2026-06-04T17:42:00.863080+00:00	GithubOSV Importer	Fixing	VCID-nhz2-v28w-gye1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-w457-6q6x-cgp9/GHSA-w457-6q6x-cgp9.json	38.6.0
2026-06-04T17:22:55.463622+00:00	GithubOSV Importer	Fixing	VCID-uv5v-22z9-fbfg	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json	38.6.0
2026-06-04T17:22:10.136739+00:00	GithubOSV Importer	Fixing	VCID-s9ab-ntdt-vkgd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g9r4-xpmj-mj65/GHSA-g9r4-xpmj-mj65.json	38.6.0
2026-06-04T17:21:54.131601+00:00	GithubOSV Importer	Fixing	VCID-q9rt-jtx1-hybx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-q2c6-c6pm-g3gh/GHSA-q2c6-c6pm-g3gh.json	38.6.0
2026-06-04T16:20:23.849102+00:00	GitLab Importer	Fixing	VCID-uv5v-22z9-fbfg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-727.yml	38.6.0
2026-06-04T16:20:23.255336+00:00	GitLab Importer	Fixing	VCID-q9rt-jtx1-hybx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-730.yml	38.6.0
2026-06-04T16:20:22.223624+00:00	GitLab Importer	Fixing	VCID-s9ab-ntdt-vkgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-729.yml	38.6.0
2026-06-02T04:41:32.628554+00:00	GitLab Importer	Fixing	VCID-7c3a-mqkm-3ycc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2019-20920.yml	38.6.0