{"url":"http://public2.vulnerablecode.io/api/packages/499959?format=json","purl":"pkg:npm/handlebars@4.3.4","type":"npm","namespace":"","name":"handlebars","version":"4.3.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.7.9","latest_non_vulnerable_version":"4.7.9","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78216?format=json","vulnerability_id":"VCID-1wpr-wn5h-b3gy","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). Without `compile()`,  the fallback compilation path in `invokePartial` is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive  object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09864","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521","reference_id":"2452521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"GHSA-xhpv-hc6g-r9c6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"GHSA-xhpv-hc6g-r9c6","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33940","GHSA-xhpv-hc6g-r9c6"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1wpr-wn5h-b3gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78240?format=json","vulnerability_id":"VCID-2vdk-f8x9-wqbb","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is  absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers  should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in  contexts where templates or context data can be influenced by untrusted input.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15224","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525","reference_id":"2452525","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r","reference_id":"GHSA-3mfm-83xf-c92r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r","reference_id":"GHSA-3mfm-83xf-c92r","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33938","GHSA-3mfm-83xf-c92r"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2vdk-f8x9-wqbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/207240?format=json","vulnerability_id":"VCID-6cew-j5jr-euef","summary":"Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20920.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20920","reference_id":"","reference_type":"","scores":[{"value":"0.00343","scoring_system":"epss","scoring_elements":"0.57268","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20920"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478"},{"reference_url":"https://www.npmjs.com/advisories/1316","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1316"},{"reference_url":"https://www.npmjs.com/advisories/1324","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1324"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882260","reference_id":"1882260","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882260"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20920","reference_id":"CVE-2019-20920","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20920"},{"reference_url":"https://github.com/advisories/GHSA-3cqr-58rm-57f8","reference_id":"GHSA-3cqr-58rm-57f8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3cqr-58rm-57f8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5179","reference_id":"RHSA-2020:5179","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5179"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3917","reference_id":"RHSA-2021:3917","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3917"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/17610?format=json","purl":"pkg:npm/handlebars@4.5.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wpr-wn5h-b3gy"},{"vulnerability":"VCID-2vdk-f8x9-wqbb"},{"vulnerability":"VCID-njfv-eyqc-n7bm"},{"vulnerability":"VCID-rkqq-nxpd-nbee"},{"vulnerability":"VCID-rynq-af1m-3kbr"},{"vulnerability":"VCID-s9pe-e4x4-2ybc"},{"vulnerability":"VCID-ts65-xn5b-xkam"},{"vulnerability":"VCID-wavd-5xba-jqgn"},{"vulnerability":"VCID-x839-p6g2-f3ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.5.3"}],"aliases":["CVE-2019-20920","GHSA-3cqr-58rm-57f8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6cew-j5jr-euef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208309?format=json","vulnerability_id":"VCID-njfv-eyqc-n7bm","summary":"The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.88016","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369"},{"reference_url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://github.com/wycats/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210604-0008"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210604-0008/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761","reference_id":"1948761","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19306?format=json","purl":"pkg:npm/handlebars@4.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wpr-wn5h-b3gy"},{"vulnerability":"VCID-2vdk-f8x9-wqbb"},{"vulnerability":"VCID-j6mn-nau8-auhy"},{"vulnerability":"VCID-rkqq-nxpd-nbee"},{"vulnerability":"VCID-s9pe-e4x4-2ybc"},{"vulnerability":"VCID-ts65-xn5b-xkam"},{"vulnerability":"VCID-wavd-5xba-jqgn"},{"vulnerability":"VCID-x839-p6g2-f3ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7"}],"aliases":["CVE-2021-23369","GHSA-f2jv-r9rf-7988"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njfv-eyqc-n7bm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208047?format=json","vulnerability_id":"VCID-r9ap-56yg-6bgw","summary":"Regular Expression Denial of Service in Handlebars","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-20922.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20922","reference_id":"","reference_type":"","scores":[{"value":"0.00291","scoring_system":"epss","scoring_elements":"0.52857","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20922"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388"},{"reference_url":"https://www.npmjs.com/advisories/1300","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/advisories/1300"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882256","reference_id":"1882256","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1882256"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20922","reference_id":"CVE-2019-20922","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20922"},{"reference_url":"https://github.com/advisories/GHSA-62gr-4qp9-h98f","reference_id":"GHSA-62gr-4qp9-h98f","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-62gr-4qp9-h98f"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5179","reference_id":"RHSA-2020:5179","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5179"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3917","reference_id":"RHSA-2021:3917","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3917"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/17593?format=json","purl":"pkg:npm/handlebars@4.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wpr-wn5h-b3gy"},{"vulnerability":"VCID-2vdk-f8x9-wqbb"},{"vulnerability":"VCID-6cew-j5jr-euef"},{"vulnerability":"VCID-njfv-eyqc-n7bm"},{"vulnerability":"VCID-rkqq-nxpd-nbee"},{"vulnerability":"VCID-rynq-af1m-3kbr"},{"vulnerability":"VCID-s9pe-e4x4-2ybc"},{"vulnerability":"VCID-ts65-xn5b-xkam"},{"vulnerability":"VCID-wavd-5xba-jqgn"},{"vulnerability":"VCID-x839-p6g2-f3ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.4.5"}],"aliases":["CVE-2019-20922","GHSA-62gr-4qp9-h98f"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9ap-56yg-6bgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360067?format=json","vulnerability_id":"VCID-rkqq-nxpd-nbee","summary":"Handlebars.js has a Property Access Validation Bypass in container.lookup\n## Summary\n\nIn `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform.\n\nOnly relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`.\n\n## Description\n\nThe vulnerable code in `lib/handlebars/runtime.js` (lines 137–144):\n\n```javascript\nlookup: function (depths, name) {\n  const len = depths.length;\n  for (let i = 0; i < len; i++) {\n    let result = depths[i] && container.lookupProperty(depths[i], name);\n    if (result != null) {\n      return depths[i][name];  // BUG: should be `return result;`\n    }\n  }\n},\n```\n\n`container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned.\n\n## Workarounds\n\n- Avoid enabling `{ compat: true }` when rendering templates that include untrusted data.\n- Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).","references":[{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2"},{"reference_url":"https://github.com/advisories/GHSA-442j-39wm-28r2","reference_id":"GHSA-442j-39wm-28r2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-442j-39wm-28r2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["GHSA-442j-39wm-28r2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkqq-nxpd-nbee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208117?format=json","vulnerability_id":"VCID-rynq-af1m-3kbr","summary":"Prototype Pollution in handlebars","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383","reference_id":"","reference_type":"","scores":[{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90585","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210618-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210618-0007/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688","reference_id":"1956688","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml","reference_id":"CVE-2021-23383.YML","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml"},{"reference_url":"https://github.com/advisories/GHSA-765h-qjxv-5f44","reference_id":"GHSA-765h-qjxv-5f44","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-765h-qjxv-5f44"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19306?format=json","purl":"pkg:npm/handlebars@4.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wpr-wn5h-b3gy"},{"vulnerability":"VCID-2vdk-f8x9-wqbb"},{"vulnerability":"VCID-j6mn-nau8-auhy"},{"vulnerability":"VCID-rkqq-nxpd-nbee"},{"vulnerability":"VCID-s9pe-e4x4-2ybc"},{"vulnerability":"VCID-ts65-xn5b-xkam"},{"vulnerability":"VCID-wavd-5xba-jqgn"},{"vulnerability":"VCID-x839-p6g2-f3ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7"}],"aliases":["CVE-2021-23383","GHSA-765h-qjxv-5f44"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rynq-af1m-3kbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78167?format=json","vulnerability_id":"VCID-s9pe-e4x4-2ybc","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, \"n\")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing  decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled  templates; do not call `compile()` at request time.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22904","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508","reference_id":"2452508","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff","reference_id":"GHSA-9cx6-37pm-9jff","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff","reference_id":"GHSA-9cx6-37pm-9jff","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33939","GHSA-9cx6-37pm-9jff"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s9pe-e4x4-2ybc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78122?format=json","vulnerability_id":"VCID-ts65-xn5b-xkam","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a  `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47541","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523","reference_id":"2452523","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q","reference_id":"GHSA-2w6w-674q-4c4q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q","reference_id":"GHSA-2w6w-674q-4c4q","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33937","GHSA-2w6w-674q-4c4q"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ts65-xn5b-xkam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78225?format=json","vulnerability_id":"VCID-wavd-5xba-jqgn","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values  that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than  command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive  paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated  build pipeline.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00931","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524","reference_id":"2452524","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"GHSA-xjpj-3mr7-gcpf","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"GHSA-xjpj-3mr7-gcpf","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33941","GHSA-xjpj-3mr7-gcpf"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wavd-5xba-jqgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78289?format=json","vulnerability_id":"VCID-x839-p6g2-f3ca","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype  pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates  and reduces the attack surface.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22025","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509","reference_id":"2452509","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"GHSA-2qvq-rjwj-gvw9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"GHSA-2qvq-rjwj-gvw9","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33916","GHSA-2qvq-rjwj-gvw9"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x839-p6g2-f3ca"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.3.4"}