CVE-2026-33938
published 2026-03-27CVE-2026-33938: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored…
PriorityP351high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
0.69%
48.2th percentile
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.7.9-1 (forky) | node-handlebars 3:4.7.9-1 (forky) |
| handlebars-lang | handlebars.js | — | — |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
osv8.1HIGH
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
ghsa·2026-03-27
CVE-2026-33938 [HIGH] CWE-843 Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
## Summary
The `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server.
## Description
Handlebars stores `@partial-block` in the `data` frame that is accessible to templates. In nested contexts, a parent frame's `@partial-block` is reachable as `@_parent.partial-block`. Because the data frame is a mutable object, any registered helper that accepts an object reference and assigns pro
OSV
CVE-2026-33938: Handlebars provides the power necessary to let users build semantic templates
osv·2026-03-27·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938: Handlebars provides the power necessary to let users build semantic templates
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers s
OSV
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
osv·2026-03-27
CVE-2026-33938 [HIGH] Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
## Summary
The `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server.
## Description
Handlebars stores `@partial-block` in the `data` frame that is accessible to templates. In nested contexts, a parent frame's `@partial-block` is reachable as `@_parent.partial-block`. Because the data frame is a mutable object, any registered helper that accepts an object reference and assigns pro
Red Hat
handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
vendor_redhat·2026-03-27·CVSS 8.1
CVE-2026-33938 [HIGH] CWE-917 handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit regis
Debian
CVE-2026-33938: node-handlebars - Handlebars provides the power necessary to let users build semantic templates. I...
vendor_debian·2026·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938: node-handlebars - Handlebars provides the power necessary to let users build semantic templates. I...
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers s
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33938 openbao: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
bugzilla·2026-03-28·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938 openbao: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
CVE-2026-33938 openbao: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any javascript in the server, so this vulnerability is not applicable.
Bugzilla
CVE-2026-33938 openbao: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
bugzilla·2026-03-28·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938 openbao: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
CVE-2026-33938 openbao: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any javascript in the server, so this vulnerability is not applicable.
Bugzilla
CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
bugzilla·2026-03-28·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
ht
Bugzilla
CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
bugzilla·2026-03-28·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
CVE-2026-33938 nextcloud: Handlebars: Arbitrary code execution via @partial-block overwrite [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
Bugzilla
CVE-2026-33938 handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
bugzilla·2026-03-27·CVSS 8.1
CVE-2026-33938 [HIGH] CVE-2026-33938 handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
CVE-2026-33938 handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Seco
Wiz
CVE-2026-33938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33938 [LOW] CVE-2026-33938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33938 :
Grafana vulnerability analysis and mitigation
@partial-block
@partial-block
{{> @partial-block}}
require('handlebars/runtime')
compile()
handlebars-helpers
Wiz Threat Research note: Wiz has overridden initial access potential to FALSE since the vulnerability is only exploitable under specific conditions.
Source : NVD
## 8.1
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-9.1
opensearch-dashboards-2
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92rhttps://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/security/cve/CVE-2026-33938https://bugzilla.redhat.com/show_bug.cgi?id=2452525https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92rhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33938.json
2026-03-27
Published