CVE-2026-33940 Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

🗓️ 27 Mar 2026 21:11:10Reported by GitHub_MType

CVE-2026-33940: Handlebars.js dynamic partial AST type confusion allows code execution; fixed in 4.7.9.

Reporter	Title	Published	Views	Family All 51
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution (CVE-2026-33937, CVE-2026-33938, CVE-2026-33940, CVE-2026-33941) and denial of service (CVE-2026-33939)	7 May 202613:34	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions	24 Apr 202617:45	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.	24 Apr 202614:07	–	ibm
IBM Security Bulletins	Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Handlebars	5 May 202609:18	–	ibm
ATTACKERKB	CVE-2026-33940	27 Mar 202621:11	–	attackerkb
Information Security Automation	April Linux Patch Wednesday	22 Apr 202616:00	–	avleonov
Chainguard	CVE-2026-33940 vulnerabilities	30 Mar 202619:17	–	cgr
Circl	CVE-2026-33940	26 Mar 202620:59	–	circl
CNNVD	handlebars 安全漏洞	27 Mar 202600:00	–	cnnvd
CVE	CVE-2026-33940	27 Mar 202621:11	–	cve

[
  {
    "vendor": "handlebars-lang",
    "product": "handlebars.js",
    "versions": [
      {
        "version": ">= 4.0.0, < 4.7.9",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
github	www.github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
github	www.github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

27 Mar 2026 21:11Current

CVSS 3.18.1

EPSS0.00619