Lucene search
K

385 matches found

vulnersOsv
vulnersOsv
added 2026/03/29 3:17 p.m.9 views

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +6 more potentially affected by unknown CVE via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15813032...

5.5AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/29 3:17 p.m.6 views

4coders-commons (>=0.0.1 <=0.0.2), @1delta/aggregators (>=0.1.0 <=0.1.6) +2141 more potentially affected by unknown CVE via handlebars (>=4.6.0 <=4.7.8)

handlebars NPM version =4.6.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.0.0, =0.1.0-alpha.1, =3.1.2, =3.1.6, =0.0.1, =0.1.7 and more Source cves: unknown CVE Source advisory: SNYK:JS-HANDLEBARS-15813031...

5.7AI score
Exploits0
OSV
OSV
added 2026/03/29 3:17 p.m.3 views

GHSA-7RX3-28CR-V5WH Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry

Summary The prototype method blocklist in lib/handlebars/internal/proto-access.js blocks constructor, defineGetter, defineSetter, and lookupGetter, but omits the symmetric lookupSetter. This omission is only exploitable when the non-default runtime option allowProtoMethodsByDefault: true is...

4.8CVSS5.9AI score
Exploits0References4
Snyk
Snyk
added 2026/03/29 3:17 p.m.8 views

Prototype Pollution

Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution in the protoAccessControl function. An attacker can gain unauthorized access to prototype methods by referencing lookupSetter in templates through...

6.3CVSS6.5AI score
Exploits0References2
Snyk
Snyk
added 2026/03/29 3:17 p.m.6 views

Prototype Pollution

Overview org.webjars.npm:handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution in the protoAccessControl function. An attacker can gain unauthorized access to prototype methods by referencing lookupSetter in templat...

6.3CVSS6.3AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/29 3:17 p.m.12 views

Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry

Summary The prototype method blocklist in lib/handlebars/internal/proto-access.js blocks constructor, defineGetter, defineSetter, and lookupGetter, but omits the symmetric lookupSetter. This omission is only exploitable when the non-default runtime option allowProtoMethodsByDefault: true is...

9.8CVSS5.9AI score0.04506EPSS
Exploits1References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/03/29 3:16 p.m.9 views

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by unknown CVE via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: unknown CVE Source advisory: OSV:GHSA-442J-39WM-28R2...

5.7AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/03/29 3:16 p.m.5 views

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3644 more potentially affected by unknown CVE via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: unknown CVE Source advisory: SNYK:JS-HANDLEBARS-15813000...

5.7AI score
Exploits0
Snyk
Snyk
added 2026/03/29 3:16 p.m.2 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.webjars.npm:handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the lookup function. An attacker can access properties that should be restricted by bypassing...

6.3CVSS5.5AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/29 3:16 p.m.9 views

Handlebars.js has a Property Access Validation Bypass in container.lookup

Summary In lib/handlebars/runtime.js, the container.lookup function uses container.lookupProperty as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access depthsiname. This Time-of-Check Time-of-Use TOCTOU patter...

5.9AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/29 3:16 p.m.2 views

GHSA-442J-39WM-28R2 Handlebars.js has a Property Access Validation Bypass in container.lookup

Summary In lib/handlebars/runtime.js, the container.lookup function uses container.lookupProperty as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access depthsiname. This Time-of-Check Time-of-Use TOCTOU patter...

3.7CVSS5.9AI score
Exploits0References4
vulnersOsv
vulnersOsv
added 2026/03/29 3:16 p.m.9 views

org.webjars.npm:directory-encoder (=0.9.2), org.webjars.npm:engine-handlebars (=0.8.2) +6 more potentially affected by unknown CVE via org.webjars.npm:handlebars (>=4.0.14 <=4.7.8)

org.webjars.npm:handlebars MAVEN version =4.0.14, =1.5.0, =2.0.0, =2.0.0, =2.1.0, =2.1.1 Source cves: unknown CVE Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15813001...

5.5AI score
Exploits0
Snyk
Snyk
added 2026/03/29 3:16 p.m.10 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the lookup function. An attacker can access properties that should be restricted by bypassing prototype-access controls...

6.3CVSS5.5AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/28 10:46 a.m.8 views

CVE-2026-33937

A flaw was found in Handlebars. An attacker can exploit this by supplying a crafted Abstract Syntax Tree AST object to the Handlebars.compile function. This allows the injection and execution of arbitrary JavaScript code due to improper sanitization of the value field in NumberLiteral AST nodes...

9.8CVSS6.3AI score0.0178EPSS
Exploits2References6
RedhatCVE
RedhatCVE
added 2026/03/28 10:11 a.m.5 views

CVE-2026-33941

A flaw was found in Handlebars. The Handlebars command-line interface CLI precompiler concatenates user-controlled strings, such as template file names and CLI options, directly into the generated JavaScript without proper escaping or sanitization. An attacker capable of influencing these inputs...

8.2CVSS6.4AI score0.00291EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/28 10:11 a.m.6 views

CVE-2026-33916

A flaw was found in Handlebars. The resolvePartial function in the Handlebars runtime does not properly guard against prototype-chain traversal when resolving partial names. This allows an attacker to inject malicious code into web pages. When Object.prototype has been polluted with a string valu...

4.7CVSS6.3AI score0.00232EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/28 10:11 a.m.13 views

CVE-2026-33939

A flaw was found in Handlebars.js. A remote attacker can exploit this by submitting a malformed Handlebars template that includes decorator syntax referencing an unregistered decorator. When the application attempts to compile this template without proper error handling, it triggers an unhandled...

7.5CVSS5.9AI score0.00616EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/28 10:11 a.m.5 views

CVE-2026-33940

A flaw was found in Handlebars.js. A remote attacker can exploit this vulnerability by providing a specially crafted object within the template context. This crafted object, when processed by a dynamic partial lookup, can bypass security checks and be interpreted as malicious code. This allows th...

8.1CVSS6.2AI score0.00703EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/03/28 10:11 a.m.3 views

CVE-2026-33938

A flaw was found in Handlebars. A remote attacker can exploit this vulnerability by manipulating the @partial-block special variable within the template data context. By overwriting @partial-block with a specially crafted Abstract Syntax Tree AST through a helper, a subsequent invocation of...

8.1CVSS6.3AI score0.00709EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2026/03/28 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-33916

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial in the Handlebars runtime resolve...

4.7CVSS6.6AI score0.00232EPSS
Exploits1References4
Rows per page
Query Builder