Search for packages
| purl | pkg:npm/handlebars@4.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-f85q-ybzg-t3ew | Moderate severity vulnerability that affects handlebars **Withdrawn:** Duplicate of GHSA-9prh-257w-9277 |
GHSA-fmr4-7g9q-7hc7
|
| VCID-qjpg-1sgr-kkcf | Cross-Site Scripting in handlebars Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted. ## Proof of Concept Template: ```<a href={{foo}}/>``` Input: ```{ 'foo' : 'test.com onload=alert(1)'}``` Rendered result: ```<a href=test.com onload=alert(1)/>``` ## Recommendation Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes. |
CVE-2015-8861
GHSA-9prh-257w-9277 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-01T12:20:52.931330+00:00 | GithubOSV Importer | Fixing | VCID-qjpg-1sgr-kkcf | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9prh-257w-9277/GHSA-9prh-257w-9277.json | 36.1.3 |
| 2025-07-01T12:11:45.196761+00:00 | GithubOSV Importer | Fixing | VCID-f85q-ybzg-t3ew | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-fmr4-7g9q-7hc7/GHSA-fmr4-7g9q-7hc7.json | 36.1.3 |