DEBIAN-CVE-2026-33916

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype...

CVE-2026-33937

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, Handlebars.compile accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript withou...

CVE-2026-33938

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper...

CVE-2026-33938

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper...

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +8 more potentially affected by CVE-2026-33938 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =1.31.0, =1.37.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33938 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15803083...

PT-2026-28571

Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8 Description Handlebars templates containing decorator syntax referencing an unregistered decorator e.g., n can cause a Denial of Service. The compiled template calls lookupPropertydecorators, "n", which...

@11ty/eleventy (=0.3.3), @36node/swagen (=0.1.2) +1580 more potentially affected by unknown CVE via handlebars (>=4.0.0 <=4.5.2)

handlebars NPM version =4.0.0, =1.16.0, =1.16.0, =1.16.0, =1.16.0, =1.0.1, =3.0.0, =1.0.0, =0.1.0, =0.0.1, =1.0.2-alpha.0, =1.0.0, =0.0.2, =5.0.0, =6.0.10 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G9R4-XPMJ-MJ65...

GHSA-2CF5-4W76-R9QV Arbitrary Code Execution in handlebars

Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server...