Search for vulnerabilities
| Vulnerability ID | VCID-wkcp-xswz-t3d9 |
| Aliases |
GHSA-q2c6-c6pm-g3gh
|
| Summary | Arbitrary Code Execution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| There are no known CWE. |
| System | Score | Found at |
|---|---|---|
| cvssv3.1_qr | HIGH | https://github.com/advisories/GHSA-q2c6-c6pm-g3gh |
| generic_textual | HIGH | https://www.npmjs.com/advisories/1324 |
| Reference id | Reference type | URL |
|---|---|---|
| https://www.npmjs.com/advisories/1324 | ||
| GHSA-q2c6-c6pm-g3gh | https://github.com/advisories/GHSA-q2c6-c6pm-g3gh |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2025-07-01T12:16:31.155310+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-q2c6-c6pm-g3gh/GHSA-q2c6-c6pm-g3gh.json | 36.1.3 |