Express-handlebars - Local File Inclusion

Express-handlebars is susceptible to local file inclusion because it mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential...

ROOT-APP-NPM-CVE-2026-33939 CVE-2026-33939 in @rootio/handlebars - Patched by Root

Root has patched CVE-2026-33939 in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-33938 CVE-2026-33938 in @rootio/handlebars - Patched by Root

Root has patched CVE-2026-33938 in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-33940 CVE-2026-33940 in @rootio/handlebars - Patched by Root

Root has patched CVE-2026-33940 in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-33941 CVE-2026-33941 in @rootio/handlebars - Patched by Root

Root has patched CVE-2026-33941 in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-33937 CVE-2026-33937 in @rootio/handlebars - Patched by Root

Root has patched CVE-2026-33937 in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

Unity Linux 20.1060e / 20.1070e Security Update: nodejs-handlebars (UTSA-2026-016670)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016670 advisory. The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution (CVE-2026-33937, CVE-2026-33938, CVE-2026-33940, CVE-2026-33941) and denial of service (CVE-2026-33939)

Summary Node.js module handlebars is used by all IBM App Connect Enterprise Certified Container operands. IBM App Connect Enterprise Certified Container operands are vulnerable to arbitrary code execution CVE-2026-33937, CVE-2026-33938, CVE-2026-33940, CVE-2026-33941 and denial of service...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Handlebars

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Handlebars. CVE-2026-33937, CVE-2026-33938, CVE-2026-33939, CVE-2026-33940, CVE-2026-33941 The vulnerabilities have been addressed. Vulnerability Details...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.13.1 Vulnerability Details CVEID:CVE-2026-22737 DESCRIPTION: Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of conten...

Security Bulletin: Multiple security vulnerabilities in IBM Business Automation Manager Open Editions

Summary In addition to many updates of operating system level packages, the following security vulnerabilities are addressed in IBM Business Automation Manager Open Editions 9.4.1 Vulnerability Details CVEID:CVE-2026-33916 DESCRIPTION: Handlebars provides the power necessary to let users build...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.

Summary IBM App Connect Enterprise runtime, IBM App Connect Enterprise Connector Discovery and OpenAPI Editor and IBM App Connect Enterprise Discovery Connectors are vulnerable to multiple vulnerabilities due to multiple node modules. Vulnerability Details CVEID:CVE-2026-33916 DESCRIPTION:...

Exploit for Injection in Ghost

This is a rework of the Repo by rootxran for this same CVE - htt...

Code Injection

Handlebars is vulnerable to code injection. The vulnerability is due to improper sanitization of user-controlled inputs in the CLI precompiler, which allows an attacker to inject arbitrary JavaScript via crafted template filenames or CLI arguments and execute it when the generated code is run...

EspoCRM 安全漏洞

EspoCRM is an open-source, web-based Customer Relationship Management system CRM developed by EspoCRM. This system offers features such as sales automation, community management, and customer support. EspoCRM versions 9.3.3 and earlier contained security vulnerabilities. These vulnerabilities wer...

ROOT-APP-NPM-CVE-2026-33916 CVE-2026-33916 in @rootio/handlebars - Patched by Root

Root has patched CVE-2026-33916 in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-7RX3-28CR-V5WH GHSA-7rx3-28cr-v5wh in @rootio/handlebars - Patched by Root

Root has patched GHSA-7rx3-28cr-v5wh in the @rootio/handlebars package for Root:npm. Multiple fixed versions available...

Type Confusion

Handlebars is vulnerable to Type Confusion. The vulnerability is due to unsanitized handling of pre-parsed AST input in Handlebars.compile, which allows an attacker to inject malicious JavaScript via crafted AST nodes and execute arbitrary code...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by unknown CVE via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15813032...

Prototype Pollution

Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution in the protoAccessControl function. An attacker can gain unauthorized access to prototype methods by referencing lookupSetter in templates through...