{"url":"http://public2.vulnerablecode.io/api/packages/304355?format=json","purl":"pkg:npm/handlebars@4.7.3","type":"npm","namespace":"","name":"handlebars","version":"4.7.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.7.9","latest_non_vulnerable_version":"4.7.9","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64121?format=json","vulnerability_id":"VCID-2r9d-e4z2-ckbh","summary":"handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22105","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509","reference_id":"2452509","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"CVE-2021-23369","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"GHSA-2qvq-rjwj-gvw9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33916","GHSA-2qvq-rjwj-gvw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2r9d-e4z2-ckbh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42343?format=json","vulnerability_id":"VCID-3ej8-4wrb-dqed","summary":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')\nThe package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383","reference_id":"","reference_type":"","scores":[{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90555","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90541","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210618-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210618-0007/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688","reference_id":"1956688","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/advisories/GHSA-765h-qjxv-5f44","reference_id":"GHSA-765h-qjxv-5f44","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-765h-qjxv-5f44"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60541?format=json","purl":"pkg:npm/handlebars@4.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"},{"vulnerability":"VCID-rrb5-uk9f-zbc8"},{"vulnerability":"VCID-yv4k-1q7a-wqee"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7"}],"aliases":["CVE-2021-23383","GHSA-765h-qjxv-5f44"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3ej8-4wrb-dqed"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64115?format=json","vulnerability_id":"VCID-4e4r-qabs-cbg7","summary":"handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00935","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524","reference_id":"2452524","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524"},{"reference_url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"GHSA-xjpj-3mr7-gcpf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33941","GHSA-xjpj-3mr7-gcpf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4e4r-qabs-cbg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64120?format=json","vulnerability_id":"VCID-4sp5-ymgy-qfg4","summary":"handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.4751","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523","reference_id":"2452523","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523"},{"reference_url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q","reference_id":"GHSA-2w6w-674q-4c4q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33937","GHSA-2w6w-674q-4c4q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4sp5-ymgy-qfg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64116?format=json","vulnerability_id":"VCID-81p2-vehj-hub1","summary":"handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09841","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521","reference_id":"2452521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521"},{"reference_url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"GHSA-xhpv-hc6g-r9c6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33940","GHSA-xhpv-hc6g-r9c6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-81p2-vehj-hub1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64119?format=json","vulnerability_id":"VCID-bkew-8c9k-mbh2","summary":"handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15242","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525","reference_id":"2452525","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525"},{"reference_url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r","reference_id":"GHSA-3mfm-83xf-c92r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33938","GHSA-3mfm-83xf-c92r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bkew-8c9k-mbh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/64118?format=json","vulnerability_id":"VCID-cxf4-xmgb-aue5","summary":"handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22975","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508","reference_id":"2452508","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508"},{"reference_url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff","reference_id":"GHSA-9cx6-37pm-9jff","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33939","GHSA-9cx6-37pm-9jff"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cxf4-xmgb-aue5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91102?format=json","vulnerability_id":"VCID-rrb5-uk9f-zbc8","summary":"Handlebars.js has a Property Access Validation Bypass in container.lookup\n## Summary\n\nIn `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform.\n\nOnly relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`.\n\n## Description\n\nThe vulnerable code in `lib/handlebars/runtime.js` (lines 137–144):\n\n```javascript\nlookup: function (depths, name) {\n  const len = depths.length;\n  for (let i = 0; i < len; i++) {\n    let result = depths[i] && container.lookupProperty(depths[i], name);\n    if (result != null) {\n      return depths[i][name];  // BUG: should be `return result;`\n    }\n  }\n},\n```\n\n`container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned.\n\n## Workarounds\n\n- Avoid enabling `{ compat: true }` when rendering templates that include untrusted data.\n- Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).","references":[{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2"},{"reference_url":"https://github.com/advisories/GHSA-442j-39wm-28r2","reference_id":"GHSA-442j-39wm-28r2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-442j-39wm-28r2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["GHSA-442j-39wm-28r2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rrb5-uk9f-zbc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51487?format=json","vulnerability_id":"VCID-xxez-8xav-cfdz","summary":"Remote code execution in handlebars when compiling templates\nThe package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when\nselecting certain compiling options to compile templates coming from an untrusted source.\nThis vulnerability has been assigned the CVE identifier CVE-2021-23369.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87954","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.87975","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369"},{"reference_url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://github.com/wycats/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210604-0008"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210604-0008/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761","reference_id":"1948761","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"CVE-2021-23369","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60541?format=json","purl":"pkg:npm/handlebars@4.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2r9d-e4z2-ckbh"},{"vulnerability":"VCID-4e4r-qabs-cbg7"},{"vulnerability":"VCID-4sp5-ymgy-qfg4"},{"vulnerability":"VCID-81p2-vehj-hub1"},{"vulnerability":"VCID-bkew-8c9k-mbh2"},{"vulnerability":"VCID-cxf4-xmgb-aue5"},{"vulnerability":"VCID-rrb5-uk9f-zbc8"},{"vulnerability":"VCID-yv4k-1q7a-wqee"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7"}],"aliases":["CVE-2021-23369","GHSA-f2jv-r9rf-7988"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xxez-8xav-cfdz"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91326?format=json","vulnerability_id":"VCID-yv4k-1q7a-wqee","summary":"Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry\n## Summary\n\nThe prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set — in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.\n\n`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.\n\n## Description\n\nIn `lib/handlebars/internal/proto-access.js`:\n\n```javascript\nconst methodWhiteList = Object.create(null);\nmethodWhiteList['constructor']      = false;\nmethodWhiteList['__defineGetter__'] = false;\nmethodWhiteList['__defineSetter__'] = false;\nmethodWhiteList['__lookupGetter__'] = false;\n// __lookupSetter__ intentionally blocked in CVE-2021-23383,\n// but omitted here — creating an asymmetric blocklist\n```\n\nAll four legacy accessor helpers (`__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; `__lookupSetter__` was left out.\n\nWhen `allowProtoMethodsByDefault: true` is set, any prototype method **not present** in `methodWhiteList` is permitted by default. Because `__lookupSetter__` is absent from the list, it passes the `checkWhiteList` check and is accessible in templates, while `__lookupGetter__` (its sibling) is correctly denied.\n\n## Workarounds\n\n- Do **not** set `allowProtoMethodsByDefault: true`. The default configuration is not affected.\n- If `allowProtoMethodsByDefault` must be enabled, ensure templates do not reference  `__lookupSetter__` through untrusted input.","references":[{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh"},{"reference_url":"https://github.com/advisories/GHSA-765h-qjxv-5f44","reference_id":"GHSA-765h-qjxv-5f44","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-765h-qjxv-5f44"},{"reference_url":"https://github.com/advisories/GHSA-7rx3-28cr-v5wh","reference_id":"GHSA-7rx3-28cr-v5wh","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7rx3-28cr-v5wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/112601?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["GHSA-7rx3-28cr-v5wh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yv4k-1q7a-wqee"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.3"}