Lucene search
K
HandlebarsjsHandlebars

10 matches found

CVE
CVE
added 2021/04/12 1:10 p.m.663 views

CVE-2021-23369

CVE-2021-23369 affects handlebars.js prior to 4.7.7. It allows remote code execution when compiling templates from untrusted sources due to how certain compiling options are handled. The vulnerability is described in vendor advisories (e.g., IBM bulletin referencing Node.js handlebars module) and...

9.8CVSS7.5AI score0.07028EPSS
CVE
CVE
added 2026/03/27 9:3 p.m.228 views

CVE-2026-33937

CVE-2026-33937 affects Handlebars.js prior to 4.7.9, where Handlebars.compile() accepts a pre-parsed AST; the NumberLiteral.value is emitted into generated JS without quoting, enabling remote code execution if a crafted AST is supplied. Versions 4.0.0–4.7.8 are vulnerable; 4.7.9 fixes the issue. ...

9.8CVSS6.2AI score0.0178EPSS
CVE
CVE
added 2021/05/04 8:35 a.m.208 views

CVE-2021-23383

The CVE-2021-23383 issue affects the handlebars library before 4.7.7. It enables Prototype Pollution when compiling templates from an untrusted source. CVSS data indicates high/critical risk (NETWORK, no auth, no user interaction; impact on confidentiality, integrity, availability). Remediation: ...

9.8CVSS7.2AI score0.04506EPSS
CVE
CVE
added 2020/09/30 12:30 p.m.187 views

CVE-2019-20920

Technical details about CVE-2019-20920 are not publicly available in the provided connected documents. Monitor for updates.

8.1CVSS8.1AI score0.03193EPSS
CVE
CVE
added 2020/09/30 12:30 p.m.166 views

CVE-2019-20922

CVE-2019-20922 affects the Handlebars.js template engine before 4.4.5. The vulnerability stems from an eager RegExp matching approach in the parser, which can be forced into an endless loop by crafted templates, leading to resource exhaustion. Impact is described as denial of service via consumed...

7.8CVSS7.3AI score0.03793EPSS
CVE
CVE
added 2026/03/27 9:8 p.m.121 views

CVE-2026-33939

Summary: CVE-2026-33939 affects Handlebars 4.0.0–4.7.8, where a template using decorator syntax referencing an unregistered decorator (e.g. {{*n}}) causes the runtime to call an undefined value as a function, leading to an unhandled TypeError and a potential single-request DoS. The issue is fixed...

7.5CVSS5.9AI score0.00616EPSS
CVE
CVE
added 2026/03/27 9:11 p.m.109 views

CVE-2026-33940

CVE-2026-33940 affects Handlebars runtimes from 4.0.0 through 4.7.8, where a crafted object in the template context can bypass guards in resolvePartial() and cause invokePartial() to return undefined. This leads the runtime to treat an unresolved partial as a source to be compiled, feeding a vali...

8.1CVSS5.9AI score0.00703EPSS
CVE
CVE
added 2026/03/27 9:13 p.m.84 views

CVE-2026-33941

The CVE-2026-33941 issue affects the Handlebars CLI precompiler (bin/handlebars, lib/precompiler.js) from versions 4.0.0–4.7.8, where user-controlled template filenames and CLI options are concatenated into the emitted JavaScript without escaping. An attacker who can influence filenames or argume...

8.2CVSS6AI score0.00291EPSS
CVE
CVE
added 2026/03/27 9:5 p.m.77 views

CVE-2026-33938

The vulnerability CVE-2026-33938 affects the Handlebars library. In versions 4.0.0 through 4.7.8, the special variable @partial-block is stored in the template data context and can be reached and mutated via helpers that accept arbitrary objects. An attacker could overwrite @partial-block with a ...

8.1CVSS6.2AI score0.00709EPSS
CVE
CVE
added 2026/03/27 9:0 p.m.25 views

CVE-2026-33916

Handlebars.js CVE-2026-33916 affects 4.0.0–4.7.8 where resolvePartial() looks up partials via options.partials without guarding prototype traversal. If Object.prototype is polluted with a string key matching a partial, that string becomes the partial body and is rendered unescaped, enabling refle...

4.7CVSS5.8AI score0.00276EPSS