{"url":"http://public2.vulnerablecode.io/api/packages/499975?format=json","purl":"pkg:npm/handlebars@4.7.6","type":"npm","namespace":"","name":"handlebars","version":"4.7.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.7.9","latest_non_vulnerable_version":"4.7.9","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78216?format=json","vulnerability_id":"VCID-1wpr-wn5h-b3gy","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). Without `compile()`,  the fallback compilation path in `invokePartial` is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive  object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33940.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09864","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09912","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33940"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33940"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521","reference_id":"2452521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452521"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"GHSA-xhpv-hc6g-r9c6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6","reference_id":"GHSA-xhpv-hc6g-r9c6","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:40:28Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33940","GHSA-xhpv-hc6g-r9c6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1wpr-wn5h-b3gy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78240?format=json","vulnerability_id":"VCID-2vdk-f8x9-wqbb","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is  absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers  should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in  contexts where templates or context data can be influenced by untrusted input.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33938.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15224","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15352","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33938"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33938"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33938"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525","reference_id":"2452525","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452525"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r","reference_id":"GHSA-3mfm-83xf-c92r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r","reference_id":"GHSA-3mfm-83xf-c92r","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T18:39:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33938","GHSA-3mfm-83xf-c92r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2vdk-f8x9-wqbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360108?format=json","vulnerability_id":"VCID-j6mn-nau8-auhy","summary":"Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry\n## Summary\n\nThe prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set — in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.\n\n`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.\n\n## Description\n\nIn `lib/handlebars/internal/proto-access.js`:\n\n```javascript\nconst methodWhiteList = Object.create(null);\nmethodWhiteList['constructor']      = false;\nmethodWhiteList['__defineGetter__'] = false;\nmethodWhiteList['__defineSetter__'] = false;\nmethodWhiteList['__lookupGetter__'] = false;\n// __lookupSetter__ intentionally blocked in CVE-2021-23383,\n// but omitted here — creating an asymmetric blocklist\n```\n\nAll four legacy accessor helpers (`__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; `__lookupSetter__` was left out.\n\nWhen `allowProtoMethodsByDefault: true` is set, any prototype method **not present** in `methodWhiteList` is permitted by default. Because `__lookupSetter__` is absent from the list, it passes the `checkWhiteList` check and is accessible in templates, while `__lookupGetter__` (its sibling) is correctly denied.\n\n## Workarounds\n\n- Do **not** set `allowProtoMethodsByDefault: true`. The default configuration is not affected.\n- If `allowProtoMethodsByDefault` must be enabled, ensure templates do not reference  `__lookupSetter__` through untrusted input.","references":[{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh"},{"reference_url":"https://github.com/advisories/GHSA-765h-qjxv-5f44","reference_id":"GHSA-765h-qjxv-5f44","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-765h-qjxv-5f44"},{"reference_url":"https://github.com/advisories/GHSA-7rx3-28cr-v5wh","reference_id":"GHSA-7rx3-28cr-v5wh","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7rx3-28cr-v5wh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["GHSA-7rx3-28cr-v5wh"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6mn-nau8-auhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208309?format=json","vulnerability_id":"VCID-njfv-eyqc-n7bm","summary":"The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23369.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.88016","published_at":"2026-06-11T12:55:00Z"},{"value":"0.03582","scoring_system":"epss","scoring_elements":"0.88056","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23369"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23369"},{"reference_url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f2jv-r9rf-7988"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://github.com/wycats/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wycats/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210604-0008"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210604-0008/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210604-0008/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761","reference_id":"1948761","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1948761"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19306?format=json","purl":"pkg:npm/handlebars@4.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wpr-wn5h-b3gy"},{"vulnerability":"VCID-2vdk-f8x9-wqbb"},{"vulnerability":"VCID-j6mn-nau8-auhy"},{"vulnerability":"VCID-rkqq-nxpd-nbee"},{"vulnerability":"VCID-s9pe-e4x4-2ybc"},{"vulnerability":"VCID-ts65-xn5b-xkam"},{"vulnerability":"VCID-wavd-5xba-jqgn"},{"vulnerability":"VCID-x839-p6g2-f3ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7"}],"aliases":["CVE-2021-23369","GHSA-f2jv-r9rf-7988"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-njfv-eyqc-n7bm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360067?format=json","vulnerability_id":"VCID-rkqq-nxpd-nbee","summary":"Handlebars.js has a Property Access Validation Bypass in container.lookup\n## Summary\n\nIn `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform.\n\nOnly relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`.\n\n## Description\n\nThe vulnerable code in `lib/handlebars/runtime.js` (lines 137–144):\n\n```javascript\nlookup: function (depths, name) {\n  const len = depths.length;\n  for (let i = 0; i < len; i++) {\n    let result = depths[i] && container.lookupProperty(depths[i], name);\n    if (result != null) {\n      return depths[i][name];  // BUG: should be `return result;`\n    }\n  }\n},\n```\n\n`container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned.\n\n## Workarounds\n\n- Avoid enabling `{ compat: true }` when rendering templates that include untrusted data.\n- Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).","references":[{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2"},{"reference_url":"https://github.com/advisories/GHSA-442j-39wm-28r2","reference_id":"GHSA-442j-39wm-28r2","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-442j-39wm-28r2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["GHSA-442j-39wm-28r2"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rkqq-nxpd-nbee"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208117?format=json","vulnerability_id":"VCID-rynq-af1m-3kbr","summary":"Prototype Pollution in handlebars","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23383.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383","reference_id":"","reference_type":"","scores":[{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90615","published_at":"2026-06-12T12:55:00Z"},{"value":"0.05666","scoring_system":"epss","scoring_elements":"0.90585","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23383"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23383"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210618-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210618-0007/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210618-0007/"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032"},{"reference_url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029"},{"reference_url":"https://www.npmjs.com/package/handlebars","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/handlebars"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688","reference_id":"1956688","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956688"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml","reference_id":"CVE-2021-23383.YML","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml"},{"reference_url":"https://github.com/advisories/GHSA-765h-qjxv-5f44","reference_id":"GHSA-765h-qjxv-5f44","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":""},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-765h-qjxv-5f44"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2500","reference_id":"RHSA-2021:2500","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2500"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4032","reference_id":"RHSA-2021:4032","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4032"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4628","reference_id":"RHSA-2021:4628","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4628"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1334","reference_id":"RHSA-2023:1334","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1334"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19306?format=json","purl":"pkg:npm/handlebars@4.7.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1wpr-wn5h-b3gy"},{"vulnerability":"VCID-2vdk-f8x9-wqbb"},{"vulnerability":"VCID-j6mn-nau8-auhy"},{"vulnerability":"VCID-rkqq-nxpd-nbee"},{"vulnerability":"VCID-s9pe-e4x4-2ybc"},{"vulnerability":"VCID-ts65-xn5b-xkam"},{"vulnerability":"VCID-wavd-5xba-jqgn"},{"vulnerability":"VCID-x839-p6g2-f3ca"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.7"}],"aliases":["CVE-2021-23383","GHSA-765h-qjxv-5f44"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rynq-af1m-3kbr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78167?format=json","vulnerability_id":"VCID-s9pe-e4x4-2ybc","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, \"n\")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing  decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled  templates; do not call `compile()` at request time.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33939.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22904","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23101","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33939"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33939"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33939"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508","reference_id":"2452508","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452508"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff","reference_id":"GHSA-9cx6-37pm-9jff","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff","reference_id":"GHSA-9cx6-37pm-9jff","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-30T18:52:18Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33939","GHSA-9cx6-37pm-9jff"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s9pe-e4x4-2ybc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78122?format=json","vulnerability_id":"VCID-ts65-xn5b-xkam","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a  `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33937.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47541","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47681","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33937"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33937"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33937"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523","reference_id":"2452523","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452523"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q","reference_id":"GHSA-2w6w-674q-4c4q","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q","reference_id":"GHSA-2w6w-674q-4c4q","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:23:06Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33937","GHSA-2w6w-674q-4c4q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ts65-xn5b-xkam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78225?format=json","vulnerability_id":"VCID-wavd-5xba-jqgn","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values  that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than  command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive  paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated  build pipeline.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00927","published_at":"2026-06-12T12:55:00Z"},{"value":"9e-05","scoring_system":"epss","scoring_elements":"0.00931","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33941"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33941"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33941"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524","reference_id":"2452524","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452524"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"GHSA-xjpj-3mr7-gcpf","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf","reference_id":"GHSA-xjpj-3mr7-gcpf","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10175","reference_id":"RHSA-2026:10175","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10175"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-31T14:24:17Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33941","GHSA-xjpj-3mr7-gcpf"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wavd-5xba-jqgn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78289?format=json","vulnerability_id":"VCID-x839-p6g2-f3ca","summary":"Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype  pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates  and reduces the attack surface.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33916.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22025","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00072","scoring_system":"epss","scoring_elements":"0.22216","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33916"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33916"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/handlebars-lang/handlebars.js"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23369"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33916"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141","reference_id":"1132141","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509","reference_id":"2452509","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2452509"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_id":"68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383","reference_id":"CVE-2021-23383","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23383"},{"reference_url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"GHSA-2qvq-rjwj-gvw9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2qvq-rjwj-gvw9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9","reference_id":"GHSA-2qvq-rjwj-gvw9","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"},{"reference_url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9","reference_id":"v4.7.9","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-30T15:41:27Z/"}],"url":"https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374513?format=json","purl":"pkg:npm/handlebars@4.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.9"}],"aliases":["CVE-2026-33916","GHSA-2qvq-rjwj-gvw9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x839-p6g2-f3ca"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/handlebars@4.7.6"}