CVE-2026-33939 — Improper Check for Unusual or Exceptional Conditions in Handlebars
Severity
7.5HIGHNVD
EPSS
0.0%
top 84.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMar 28
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-su…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
Patches
🔴Vulnerability Details
4GHSA▶
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation↗2026-03-27
CVEList▶
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation↗2026-03-27
OSV▶
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation↗2026-03-27
OSV▶
CVE-2026-33939: Handlebars provides the power necessary to let users build semantic templates↗2026-03-27