CVE-2026-33940

CVE-2026-33940 affects Handlebars runtimes from 4.0.0 through 4.7.8, where a crafted object in the template context can bypass guards in resolvePartial() and cause invokePartial() to return undefined. This leads the runtime to treat an unresolved partial as a source to be compiled, feeding a vali...

CVE-2026-33940 Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the...

CVE-2026-33939

Summary: CVE-2026-33939 affects Handlebars 4.0.0–4.7.8, where a template using decorator syntax referencing an unregistered decorator (e.g. {{*n}}) causes the runtime to call an undefined value as a function, leading to an unhandled TypeError and a potential single-request DoS. The issue is fixed...

CVE-2026-33939 Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator e.g. n, the compiled template calls lookupPropertydecorators, "n", which returns undefined. Th...

CVE-2026-33916 Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype...

CVE-2026-33916 Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype...

EUVD-2026-16862

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options...

EUVD-2026-16860

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial...

EUVD-2026-16858

Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation...

EUVD-2026-16849

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block...

EUVD-2026-16848

Handlebars.js has JavaScript Injection via AST Type Confusion...

Handlebars.js 安全漏洞

Handlebars.js is an open-source JavaScript templating engine developed by The Handlebars Templating Language project. Versions of Handlebars.js 4.7.8 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the special variable @partial-block, which could be overwritten...

Handlebars.js 安全漏洞

Handlebars.js is an open-source JavaScript templating engine developed by The Handlebars Templating Language project. Versions of Handlebars.js 4.7.8 and earlier contained security vulnerabilities. These vulnerabilities were caused by improper handling of user-controlled strings by the Handlebars...

Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities - Handlebars.js ( CVE-2019-19919, CVE-2021-32820)

Summary The product includes an older version of Handlebars.js that may be identified and exploited with automated tools. Vulnerability Details CVEID: CVE-2019-19919 DESCRIPTION: Node.js handlebars could allow a remote attacker to execute arbitrary code on the system, caused by a prototype...

GHSA-6R5X-HMGG-7H53 Remote code execution in Handlebars.js

Handlebars.js before 4.1.0 has Remote Code Execution RCE...

Remote code execution in Handlebars.js

Handlebars.js before 4.1.0 has Remote Code Execution RCE...

[SECURITY] Fedora 30 Update: nodejs-handlebars-4.0.13-1.fc30

Handlebars.js is an extension to the Mustache templating language created by Chris Wanstrath. Handlebars.js and Mustache are both logicless templating languages that keep the view and the code separated like we all know they s hould be...

[SECURITY] Fedora 22 Update: nodejs-handlebars-4.0.5-1.fc22

Handlebars.js is an extension to the Mustache templating language created by Chris Wanstrath. Handlebars.js and Mustache are both logicless templating languages that keep the view and the code separated like we all know they s hould be...