CVE-2026-33937 — Code Injection in Handlebars
Severity
9.8CRITICALNVD
EPSS
0.4%
top 37.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMar 28
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages3 packages
Patches
🔴Vulnerability Details
4OSV▶
CVE-2026-33937: Handlebars provides the power necessary to let users build semantic templates↗2026-03-27
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-33937 openbao: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() [fedora-all]↗2026-03-28