10 matches found
CVE-2021-23369
CVE-2021-23369 affects handlebars.js prior to 4.7.7. It allows remote code execution when compiling templates from untrusted sources due to how certain compiling options are handled. The vulnerability is described in vendor advisories (e.g., IBM bulletin referencing Node.js handlebars module) and...
CVE-2026-33937
CVE-2026-33937 affects Handlebars.js prior to 4.7.9, where Handlebars.compile() accepts a pre-parsed AST; the NumberLiteral.value is emitted into generated JS without quoting, enabling remote code execution if a crafted AST is supplied. Versions 4.0.0–4.7.8 are vulnerable; 4.7.9 fixes the issue. ...
CVE-2021-23383
The CVE-2021-23383 issue affects the handlebars library before 4.7.7. It enables Prototype Pollution when compiling templates from an untrusted source. CVSS data indicates high/critical risk (NETWORK, no auth, no user interaction; impact on confidentiality, integrity, availability). Remediation: ...
CVE-2019-20920
Technical details about CVE-2019-20920 are not publicly available in the provided connected documents. Monitor for updates.
CVE-2019-20922
CVE-2019-20922 affects the Handlebars.js template engine before 4.4.5. The vulnerability stems from an eager RegExp matching approach in the parser, which can be forced into an endless loop by crafted templates, leading to resource exhaustion. Impact is described as denial of service via consumed...
CVE-2026-33939
Summary: CVE-2026-33939 affects Handlebars 4.0.0–4.7.8, where a template using decorator syntax referencing an unregistered decorator (e.g. {{*n}}) causes the runtime to call an undefined value as a function, leading to an unhandled TypeError and a potential single-request DoS. The issue is fixed...
CVE-2026-33940
CVE-2026-33940 affects Handlebars runtimes from 4.0.0 through 4.7.8, where a crafted object in the template context can bypass guards in resolvePartial() and cause invokePartial() to return undefined. This leads the runtime to treat an unresolved partial as a source to be compiled, feeding a vali...
CVE-2026-33941
The CVE-2026-33941 issue affects the Handlebars CLI precompiler (bin/handlebars, lib/precompiler.js) from versions 4.0.0–4.7.8, where user-controlled template filenames and CLI options are concatenated into the emitted JavaScript without escaping. An attacker who can influence filenames or argume...
CVE-2026-33938
The vulnerability CVE-2026-33938 affects the Handlebars library. In versions 4.0.0 through 4.7.8, the special variable @partial-block is stored in the template data context and can be reached and mutated via helpers that accept arbitrary objects. An attacker could overwrite @partial-block with a ...
CVE-2026-33916
Handlebars.js CVE-2026-33916 affects 4.0.0–4.7.8 where resolvePartial() looks up partials via options.partials without guarding prototype traversal. If Object.prototype is polluted with a string key matching a partial, that string becomes the partial body and is rendered unescaped, enabling refle...