cbcvebase.
CVE-2026-33937
published 2026-03-27

CVE-2026-33937: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.74%
74.9th percentile
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiannode-handlebars< node-handlebars 3:4.7.9-1 (forky)node-handlebars 3:4.7.9-1 (forky)
handlebars-langhandlebars.js
handlebarsjshandlebars>= 4.0.0 < 4.7.94.7.9
handlebarsjshandlebars>= 4.0.0 < 4.7.94.7.9

Detection & IOCsextracted from sources · hover to see the quote

  • The attack vector is supplying a crafted AST object (not a string) to Handlebars.compile(). Detect calls to compile() where the argument is a plain object or JSON-deserialized value rather than a string.
  • The specific unsanitized field is `value` inside a `NumberLiteral` AST node. Look for AST objects with a `NumberLiteral` node whose `value` field contains JavaScript code or special characters (e.g., semicolons, parentheses, quotes) rather than a plain numeric literal.
  • Affected Handlebars versions are 4.0.0 through 4.7.8. Flag any server-side Node.js process loading handlebars at these versions as at-risk for RCE via compile().
  • ·The vulnerability only applies when Handlebars.compile() is reachable with attacker-controlled input. If the server uses the runtime-only build (handlebars/runtime), compile() is unavailable and the attack vector does not exist.
  • ·OpenBao is confirmed not affected because it has no server-side JavaScript, so Handlebars compile() is never invoked in that context.
  • ·Red Hat products are only affected if they process untrusted input through the compile() function; products that do not expose this code path are not affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.