CVE-2026-33916 — Cross-site Scripting in Handlebars
Severity
4.7MEDIUMNVD
GHSA9.8OSV9.8
EPSS
0.0%
top 87.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMar 28
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflec…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.7
Affected Packages3 packages
Patches
🔴Vulnerability Details
4CVEList
▶
OSV▶
CVE-2026-33916: Handlebars provides the power necessary to let users build semantic templates↗2026-03-27
OSV
▶
GHSA
▶
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
3Bugzilla▶
CVE-2026-33916 openbao: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [fedora-all]↗2026-03-28
Bugzilla▶
CVE-2026-33916 nextcloud: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [epel-all]↗2026-03-28
Bugzilla▶
CVE-2026-33916 openbao: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution [epel-all]↗2026-03-28