{"url":"http://public2.vulnerablecode.io/api/packages/118688?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.6%2B~4.1.0-2?distro=trixie","type":"deb","namespace":"debian","name":"node-handlebars","version":"3:4.7.6+~4.1.0-2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3:4.7.9-1","latest_non_vulnerable_version":"3:4.7.9-5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64121?format=json","vulnerability_id":"VCID-2r9d-e4z2-ckbh","summary":"handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21996","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22105","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.2209","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22043","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.21986","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509","reference_id":"2452509","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"CVE-2021-23369","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"GHSA-2qvq-rjwj-gvw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118691?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2026-33916","GHSA-2qvq-rjwj-gvw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2r9d-e4z2-ckbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64115?format=json","vulnerability_id":"VCID-4e4r-qabs-cbg7","summary":"handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00932","published_at":"2026-06-08T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00935","published_at":"2026-06-05T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00933","published_at":"2026-06-06T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00934","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524","reference_id":"2452524","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524"},{"reference_url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"GHSA-xjpj-3mr7-gcpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118691?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2026-33941","GHSA-xjpj-3mr7-gcpf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4e4r-qabs-cbg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64120?format=json","vulnerability_id":"VCID-4sp5-ymgy-qfg4","summary":"handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47478","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.4751","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47512","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47494","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47465","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523","reference_id":"2452523","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523"},{"reference_url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q","reference_id":"GHSA-2w6w-674q-4c4q","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118691?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2026-33937","GHSA-2w6w-674q-4c4q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4sp5-ymgy-qfg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64116?format=json","vulnerability_id":"VCID-81p2-vehj-hub1","summary":"handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09784","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09841","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09861","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09835","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09752","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521","reference_id":"2452521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521"},{"reference_url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"GHSA-xhpv-hc6g-r9c6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118691?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2026-33940","GHSA-xhpv-hc6g-r9c6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-81p2-vehj-hub1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64119?format=json","vulnerability_id":"VCID-bkew-8c9k-mbh2","summary":"handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.1513","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15242","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15232","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15189","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15106","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525","reference_id":"2452525","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525"},{"reference_url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r","reference_id":"GHSA-3mfm-83xf-c92r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118691?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2026-33938","GHSA-3mfm-83xf-c92r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bkew-8c9k-mbh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64118?format=json","vulnerability_id":"VCID-cxf4-xmgb-aue5","summary":"handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22866","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22975","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.2296","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22916","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22863","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508","reference_id":"2452508","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508"},{"reference_url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff","reference_id":"GHSA-9cx6-37pm-9jff","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118691?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2026-33939","GHSA-9cx6-37pm-9jff"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cxf4-xmgb-aue5"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42343?format=json","vulnerability_id":"VCID-3ej8-4wrb-dqed","summary":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nThe package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383","reference_id":"","reference_type":"","scores":[{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90541","published_at":"2026-06-04T12:55:00Z"},{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90568","published_at":"2026-06-09T12:55:00Z"},{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90552","published_at":"2026-06-08T12:55:00Z"},{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90553","published_at":"2026-06-07T12:55:00Z"},{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90555","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210618-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210618-0007/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688","reference_id":"1956688","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/advisories/GHSA-765h-qjxv-5f44","reference_id":"GHSA-765h-qjxv-5f44","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-765h-qjxv-5f44"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118688?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.6%2B~4.1.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.6%252B~4.1.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118686?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.7%2B~4.1.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.7%252B~4.1.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2021-23383","GHSA-765h-qjxv-5f44"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3ej8-4wrb-dqed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42369?format=json","vulnerability_id":"VCID-7c3a-mqkm-3ycc","summary":"Improper Control of Generation of Code ('Code Injection')\nHandlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20920","reference_id":"","reference_type":"","scores":[{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.5719","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.57176","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.57143","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.57194","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.57202","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20920"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478"},{"reference_url":"https://www.npmjs.com/advisories/1316","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1316"},{"reference_url":"https://www.npmjs.com/advisories/1324","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1324"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882260","reference_id":"1882260","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882260"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20920","reference_id":"CVE-2019-20920","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20920"},{"reference_url":"https://github.com/advisories/GHSA-3cqr-58rm-57f8","reference_id":"GHSA-3cqr-58rm-57f8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cqr-58rm-57f8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5179","reference_id":"RHSA-2020:5179","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5179"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3917","reference_id":"RHSA-2021:3917","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3917"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118687?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.5.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.5.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118688?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.6%2B~4.1.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.6%252B~4.1.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118686?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.7%2B~4.1.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.7%252B~4.1.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2019-20920","GHSA-3cqr-58rm-57f8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7c3a-mqkm-3ycc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42364?format=json","vulnerability_id":"VCID-cfg5-1ju5-73b1","summary":"Uncontrolled Resource Consumption\nHandlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20922","reference_id":"","reference_type":"","scores":[{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52786","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52739","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52798","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52805","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52788","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52762","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20922"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388"},{"reference_url":"https://www.npmjs.com/advisories/1300","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1300"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882256","reference_id":"1882256","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882256"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20922","reference_id":"CVE-2019-20922","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20922"},{"reference_url":"https://github.com/advisories/GHSA-62gr-4qp9-h98f","reference_id":"GHSA-62gr-4qp9-h98f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-62gr-4qp9-h98f"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5179","reference_id":"RHSA-2020:5179","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5179"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3917","reference_id":"RHSA-2021:3917","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3917"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118690?format=json","purl":"pkg:deb/debian/node-handlebars@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118688?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.6%2B~4.1.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.6%252B~4.1.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118686?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.7%2B~4.1.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.7%252B~4.1.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2019-20922","GHSA-62gr-4qp9-h98f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cfg5-1ju5-73b1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51602?format=json","vulnerability_id":"VCID-nhz2-v28w-gye1","summary":"Prototype Pollution in handlebars\nThe bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'.\nVersions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0.\n\nVersions Affected: 0.3.3.5-0.3.3.8\nNot affected: < 0.3.3.5\nFixed Versions: None\n\nVersions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution.\nTemplates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute\narbitrary code through crafted payloads.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-19919.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19919","reference_id":"","reference_type":"","scores":[{"value":"0.24752","scoring_system":"epss","scoring_elements":"0.96261","published_at":"2026-06-09T12:55:00Z"},{"value":"0.24752","scoring_system":"epss","scoring_elements":"0.96256","published_at":"2026-06-08T12:55:00Z"},{"value":"0.24752","scoring_system":"epss","scoring_elements":"0.96248","published_at":"2026-06-04T12:55:00Z"},{"value":"0.24752","scoring_system":"epss","scoring_elements":"0.96254","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-19919"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919"},{"reference_url":"https://github.com/advisories/GHSA-w457-6q6x-cgp9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w457-6q6x-cgp9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db"},{"reference_url":"https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js"},{"reference_url":"https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5"},{"reference_url":"https://github.com/wycats/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js"},{"reference_url":"https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc"},{"reference_url":"https://github.com/wycats/handlebars.js/issues/1558","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js/issues/1558"},{"reference_url":"https://www.npmjs.com/advisories/1164","reference_id":"","reference_type":"","scores":[],"url":"https://www.npmjs.com/advisories/1164"},{"reference_url":"https://www.tenable.com/security/tns-2021-14","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.tenable.com/security/tns-2021-14"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789959","reference_id":"1789959","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789959"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19919","reference_id":"CVE-2019-19919","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19919"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml","reference_id":"CVE-2019-19919.YML","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118687?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.5.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.5.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118688?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.6%2B~4.1.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.6%252B~4.1.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118686?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.7%2B~4.1.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.7%252B~4.1.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2019-19919","GHSA-w457-6q6x-cgp9"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhz2-v28w-gye1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51487?format=json","vulnerability_id":"VCID-xxez-8xav-cfdz","summary":"Remote code execution in handlebars when compiling templates\nThe package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when\nselecting certain compiling options to compile templates coming from an untrusted source.\nThis vulnerability has been assigned the CVE identifier CVE-2021-23369.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87954","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87992","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87979","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87978","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87975","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369"},{"reference_url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://github.com/wycats/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210604-0008"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210604-0008/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761","reference_id":"1948761","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"CVE-2021-23369","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/118688?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.6%2B~4.1.0-2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.6%252B~4.1.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118686?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.7%2B~4.1.0-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.7%252B~4.1.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/118689?format=json","purl":"pkg:deb/debian/node-handlebars@3:4.7.9-5?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.9-5%3Fdistro=trixie"}],"aliases":["CVE-2021-23369","GHSA-f2jv-r9rf-7988"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xxez-8xav-cfdz"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-handlebars@3:4.7.6%252B~4.1.0-2%3Fdistro=trixie"}