CVE-2026-33937

CVE-2026-33937 affects Handlebars.js prior to 4.7.9, where Handlebars.compile() accepts a pre-parsed AST; the NumberLiteral.value is emitted into generated JS without quoting, enabling remote code execution if a crafted AST is supplied. Versions 4.0.0–4.7.8 are vulnerable; 4.7.9 fixes the issue. ...

CVE-2026-33881

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environmen...

EUVD-2026-16862

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options...

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Summary The Handlebars CLI precompiler bin/handlebars / lib/precompiler.js concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI...

GHSA-XJPJ-3MR7-GCPF Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Summary The Handlebars CLI precompiler bin/handlebars / lib/precompiler.js concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI...

EUVD-2026-16860

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial...

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3655 more potentially affected by CVE-2026-33938 via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33938 Source advisory: SNYK:JS-HANDLEBARS-15803082...

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Summary The @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites @partial-block with a crafted Handlebars AST, a subsequent invocation of @partial-block compil...

EUVD-2026-16849

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block...

GHSA-3MFM-83XF-C92R Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Summary The @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites @partial-block with a crafted Handlebars AST, a subsequent invocation of @partial-block compil...

GHSA-2W6W-674Q-4C4Q Handlebars.js has JavaScript Injection via AST Type Confusion

Summary Handlebars.compile accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile can therefore inject and...

EUVD-2026-16848

Handlebars.js has JavaScript Injection via AST Type Confusion...

Handlebars.js has JavaScript Injection via AST Type Confusion

Summary Handlebars.compile accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile can therefore inject and...

org.webjars.npm:compression-webpack-plugin (=7.1.1), org.webjars.npm:copy-webpack-plugin (>=4.3.1 <=4.6.0) +9 more potentially affected by CVE-2026-34043 via org.webjars.npm:serialize-javascript (>=1.9.1 <=6.0.2)

org.webjars.npm:serialize-javascript MAVEN version =1.9.1, =4.3.1, =5.2.0, =1.1.6, =2.3.4, =2.5.17-beta.0 Source cves: CVE-2026-34043 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15809197...

@internxt/cli (>=1.0.5 <=1.2.2), @latitude-data/cli (>=0.0.29 <=1.11.0-canary.8) +19 more potentially affected by CVE-2026-34043 via serialize-javascript (>=7.0.0 <=7.0.4)

serialize-javascript NPM version =7.0.0, =1.0.5, =0.0.29, =1.23.0-beta.0, =1.23.0-beta.0, =1.23.0-beta.0, =1.23.0-beta.0, =1.23.0-beta.0, =18.33.0, =0.7.5, =0.9.8, =0.15.8, =1.3.0, =1.5.1 - @sigmaott/media-live =0.5.0 and more Source cves: CVE-2026-34043 Source advisory:...

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Impact What kind of vulnerability is it? It is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that...

Allocation of Resources Without Limits or Throttling

Overview serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the serialize function when handling specially...

GHSA-QJ8W-GFJ5-8C6V Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Impact What kind of vulnerability is it? It is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that...

-react-file-list-components (=1.1.1), 00ld8nuivn (=2.1.0) +45876 more potentially affected by CVE-2026-34043 via serialize-javascript (>=5.0.0 <=7.0.4)

serialize-javascript NPM version =5.0.0, =0.1.0, =0.1.9 - 01dk01majk =2.1.0 - 02.aula =1.0.0 - 02rjq8i863 =1.1.0 - 02vx8qsp01 =2.1.0 - 05y6tjgmws =1.1.0 - 066m7q8o0z =2.1.0 - 06buj9h3su =2.1.0 - 06dre15t8r =2.1.0 - 06p998toez =0.1.0 - 07fgapmu9l =1.1.0 - 07t2xvu6t4 =2.1.0 and more Source cves:...

Allocation of Resources Without Limits or Throttling

Overview org.webjars.npm:serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the serialize function when...