CVE-2026-33937
published 2026-03-27CVE-2026-33937: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.74%
74.9th percentile
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.7.9-1 (forky) | node-handlebars 3:4.7.9-1 (forky) |
| handlebars-lang | handlebars.js | — | — |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →The attack vector is supplying a crafted AST object (not a string) to Handlebars.compile(). Detect calls to compile() where the argument is a plain object or JSON-deserialized value rather than a string. ↗
- →The specific unsanitized field is `value` inside a `NumberLiteral` AST node. Look for AST objects with a `NumberLiteral` node whose `value` field contains JavaScript code or special characters (e.g., semicolons, parentheses, quotes) rather than a plain numeric literal. ↗
- →Affected Handlebars versions are 4.0.0 through 4.7.8. Flag any server-side Node.js process loading handlebars at these versions as at-risk for RCE via compile(). ↗
- ·The vulnerability only applies when Handlebars.compile() is reachable with attacker-controlled input. If the server uses the runtime-only build (handlebars/runtime), compile() is unavailable and the attack vector does not exist. ↗
- ·OpenBao is confirmed not affected because it has no server-side JavaScript, so Handlebars compile() is never invoked in that context. ↗
- ·Red Hat products are only affected if they process untrusted input through the compile() function; products that do not expose this code path are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Handlebars.js has JavaScript Injection via AST Type Confusion
osv·2026-03-27
CVE-2026-33937 [CRITICAL] Handlebars.js has JavaScript Injection via AST Type Confusion
Handlebars.js has JavaScript Injection via AST Type Confusion
## Summary
`Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.
## Description
`Handlebars.compile()` accepts either a template string or a pre-parsed AST. When an AST is supplied, the JavaScript code generator in `lib/handlebars/compiler/javascript-compiler.js` emits `NumberLiteral` values verbatim:
```javascript
// Simplified representation of the vulnerable code path:
// NumberLiteral.value is appende
GHSA
Handlebars.js has JavaScript Injection via AST Type Confusion
ghsa·2026-03-27
CVE-2026-33937 [CRITICAL] CWE-843 Handlebars.js has JavaScript Injection via AST Type Confusion
Handlebars.js has JavaScript Injection via AST Type Confusion
## Summary
`Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.
## Description
`Handlebars.compile()` accepts either a template string or a pre-parsed AST. When an AST is supplied, the JavaScript code generator in `lib/handlebars/compiler/javascript-compiler.js` emits `NumberLiteral` values verbatim:
```javascript
// Simplified representation of the vulnerable code path:
// NumberLiteral.value is appende
OSV
CVE-2026-33937: Handlebars provides the power necessary to let users build semantic templates
osv·2026-03-27·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937: Handlebars provides the power necessary to let users build semantic templates
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-
Red Hat
handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
vendor_redhat·2026-03-27·CVSS 9.8
CVE-2026-33937 [CRITICAL] CWE-94 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized
Debian
CVE-2026-33937: node-handlebars - Handlebars provides the power necessary to let users build semantic templates. I...
vendor_debian·2026·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937: node-handlebars - Handlebars provides the power necessary to let users build semantic templates. I...
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
bugzilla·2026-03-28·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any javascript in the server, so this vulnerability is not applicable.
Bugzilla
CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
bugzilla·2026-03-28·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao has no server-side javascript, so this vulnerability is not applicable.
Bugzilla
CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
bugzilla·2026-03-28·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update to
Bugzilla
CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
bugzilla·2026-03-28·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
CVE-2026-33937 nextcloud: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update
Bugzilla
CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
bugzilla·2026-03-27·CVSS 9.8
CVE-2026-33937 [CRITICAL] CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSO
Wiz
CVE-2026-33937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33937 [LOW] CVE-2026-33937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33937 :
Grafana vulnerability analysis and mitigation
Handlebars.compile()
value
NumberLiteral
compile()
Handlebars.compile()
string
handlebars/runtime
compile()
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 9.8
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 62.2
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
thunderbird
handlebars
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity CRITICAL
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4qhttps://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/security/cve/CVE-2026-33937https://bugzilla.redhat.com/show_bug.cgi?id=2452523https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33937.json
2026-03-27
Published