Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/handlebars@4.5.0
purl pkg:npm/handlebars@4.5.0
Next non-vulnerable version 4.7.7
Latest non-vulnerable version 4.7.9
Risk 4.5
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-3ej8-4wrb-dqed
Aliases:
CVE-2021-23383
GHSA-765h-qjxv-5f44
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
4.7.7
Affected by 0 other vulnerabilities.
VCID-7c3a-mqkm-3ycc
Aliases:
CVE-2019-20920
GHSA-3cqr-58rm-57f8
Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
4.5.3
Affected by 2 other vulnerabilities.
VCID-q9rt-jtx1-hybx
Aliases:
GHSA-q2c6-c6pm-g3gh
GMS-2020-730
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
4.5.3
Affected by 2 other vulnerabilities.
VCID-s9ab-ntdt-vkgd
Aliases:
GHSA-g9r4-xpmj-mj65
GMS-2020-729
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
4.5.3
Affected by 2 other vulnerabilities.
VCID-uv5v-22z9-fbfg
Aliases:
GHSA-2cf5-4w76-r9qv
GMS-2020-727
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.
4.5.2
Affected by 5 other vulnerabilities.
VCID-xxez-8xav-cfdz
Aliases:
CVE-2021-23369
GHSA-f2jv-r9rf-7988
Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369.
4.7.7
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T01:28:41.119068+00:00 GitLab Importer Affected by VCID-7c3a-mqkm-3ycc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2019-20920.yml 38.6.0
2026-06-06T01:27:04.353503+00:00 GitLab Importer Affected by VCID-3ej8-4wrb-dqed https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2021-23383.yml 38.6.0
2026-06-04T20:50:30.713893+00:00 GitLab Importer Affected by VCID-xxez-8xav-cfdz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2021-23369.yml 38.6.0
2026-06-04T20:38:24.077703+00:00 GitLab Importer Affected by VCID-uv5v-22z9-fbfg https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-727.yml 38.6.0
2026-06-04T20:38:12.422843+00:00 GitLab Importer Affected by VCID-q9rt-jtx1-hybx https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-730.yml 38.6.0
2026-06-04T20:37:53.549668+00:00 GitLab Importer Affected by VCID-s9ab-ntdt-vkgd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-729.yml 38.6.0