385 matches found
Improper Encoding or Escaping of Output
Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the CLI precompiler in lib/precompiler.js. An attacker can execute arbitrary JavaScript in the generated bundle by supplying...
4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by CVE-2026-33941 via handlebars (>=4.0.0 <=4.7.8)
handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33941 Source advisory: OSV:GHSA-XJPJ-3MR7-GCPF...
org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +6 more potentially affected by CVE-2026-33941 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)
org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33941 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15807041...
Improper Encoding or Escaping of Output
Overview org.webjars.npm:handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the CLI precompiler in lib/precompiler.js. An attacker can execute arbitrary JavaScript in the generated...
4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by CVE-2026-33941 via handlebars (>=4.0.0 <=4.7.8)
handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33941 Source advisory: SNYK:JS-HANDLEBARS-15807040...
GHSA-XJPJ-3MR7-GCPF Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
Summary The Handlebars CLI precompiler bin/handlebars / lib/precompiler.js concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI...
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Summary A crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile...
4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by CVE-2026-33940 via handlebars (>=4.0.0 <=4.7.8)
handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33940 Source advisory: OSV:GHSA-XHPV-HC6G-R9C6...
org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +6 more potentially affected by CVE-2026-33940 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)
org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33940 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15803087...
4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by CVE-2026-33940 via handlebars (>=4.0.0 <=4.7.8)
handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33940 Source advisory: SNYK:JS-HANDLEBARS-15803086...
Access of Resource Using Incompatible Type ('Type Confusion')
Overview org.webjars.npm:handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the resolvePartial and invokePartial functions. An attacker can execute arbitrary code on th...
Access of Resource Using Incompatible Type ('Type Confusion')
Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type 'Type Confusion' via the resolvePartial and invokePartial functions. An attacker can execute arbitrary code on the server by...
GHSA-XHPV-HC6G-R9C6 Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Summary A crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile...
Improper Check for Unusual or Exceptional Conditions
Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the registerDecorator path in lib/handlebars/compiler/javascript-compiler.js. An attacker can crash the Node.js...
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Summary When a Handlebars template contains decorator syntax referencing an unregistered decorator e.g. n, the compiled template calls lookupPropertydecorators, "n", which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not ...
Improper Check for Unusual or Exceptional Conditions
Overview org.webjars.npm:handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the registerDecorator path in lib/handlebars/compiler/javascript-compiler.js. An attacker can...
4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by CVE-2026-33939 via handlebars (>=4.0.0 <=4.7.8)
handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33939 Source advisory: SNYK:JS-HANDLEBARS-15807042...
4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by CVE-2026-33939 via handlebars (>=4.0.0 <=4.7.8)
handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33939 Source advisory: OSV:GHSA-9CX6-37PM-9JFF...
org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +6 more potentially affected by CVE-2026-33939 via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)
org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: CVE-2026-33939 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15807043...
GHSA-9CX6-37PM-9JFF Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Summary When a Handlebars template contains decorator syntax referencing an unregistered decorator e.g. n, the compiled template calls lookupPropertydecorators, "n", which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not ...