CVE-2026-33938 — Code Injection in Handlebars
Severity
8.1HIGHNVD
EPSS
0.1%
top 75.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMar 28
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Versio…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages3 packages
Patches
🔴Vulnerability Details
4GHSA▶
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block↗2026-03-27
OSV▶
CVE-2026-33938: Handlebars provides the power necessary to let users build semantic templates↗2026-03-27
OSV▶
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block↗2026-03-27
CVEList▶
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block↗2026-03-27