CVE-2026-33939
published 2026-03-27CVE-2026-33939: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.60%
44.3th percentile
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.7.9-1 (forky) | node-handlebars 3:4.7.9-1 (forky) |
| handlebars-lang | handlebars.js | — | — |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
ghsa·2026-03-27
CVE-2026-33939 [HIGH] CWE-754 Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
## Summary
When a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service.
## Description
In `lib/handlebars/compiler/javascript-compiler.js`, the code generated for a decorator invocation looks like:
```javascript
fn = lookupProperty(decorators, "n")(fn, props, cont
OSV
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
osv·2026-03-27
CVE-2026-33939 [HIGH] Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
## Summary
When a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service.
## Description
In `lib/handlebars/compiler/javascript-compiler.js`, the code generated for a decorator invocation looks like:
```javascript
fn = lookupProperty(decorators, "n")(fn, props, cont
OSV
CVE-2026-33939: Handlebars provides the power necessary to let users build semantic templates
osv·2026-03-27·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939: Handlebars provides the power necessary to let users build semantic templates
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates co
Red Hat
handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
vendor_redhat·2026-03-27·CVSS 7.5
CVE-2026-33939 [HIGH] CWE-248 handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and
Debian
CVE-2026-33939: node-handlebars - Handlebars provides the power necessary to let users build semantic templates. I...
vendor_debian·2026·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939: node-handlebars - Handlebars provides the power necessary to let users build semantic templates. I...
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates co
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
bugzilla·2026-03-28·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update
Bugzilla
CVE-2026-33939 openbao: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
bugzilla·2026-03-28·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939 openbao: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
CVE-2026-33939 openbao: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any javascript in the server, so this vulnerability is not applicable.
Bugzilla
CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
bugzilla·2026-03-28·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
CVE-2026-33939 nextcloud: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-cb5661d883 (nextcloud-33.0.3-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cb5661d883
---
FEDORA-EPEL-2026-f7ea7872a6 (nextcloud-33.0.3-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-f7ea7872a6
---
FEDORA-EPEL-2026-6610e2eca4 (nextcloud-33.0.3-1.el10_2) has been submitted as an update t
Bugzilla
CVE-2026-33939 openbao: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
bugzilla·2026-03-28·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939 openbao: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
CVE-2026-33939 openbao: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
OpenBao does not have any javascript in the server, so this vulnerability is not applicable.
Bugzilla
CVE-2026-33939 handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
bugzilla·2026-03-27·CVSS 7.5
CVE-2026-33939 [HIGH] CVE-2026-33939 handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
CVE-2026-33939 handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap
Wiz
GHSA-442j-39wm-28r2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
[HIGH] GHSA-442j-39wm-28r2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-442j-39wm-28r2 :
Handlebars vulnerability analysis and mitigation
## Summary
lib/handlebars/runtime.js
container.lookup()
container.lookupProperty()
depths[i][name]
lookupProperty
{compat: true}
depthedLookup
lib/handlebars/compiler/javascript-compiler.js
## Description
lib/handlebars/runtime.js
lookup: function (depths, name) {
const len = depths.length;
for (let i = 0; i < len; i++) {
let result = depths[i] && container.lookupProperty(depths[i], name);
if (result != null) {
return depths[i][name]; // BUG: should be `return result;`
}
}
},
container.lookupProperty()
hasOwnProperty
resultIsAllowed()
container.lookup()
lookupProperty
result != null
depths[i][name]
lookupProperty
## Workarounds
{ compat: true }
Ensure context data objects are plain JSON (
Wiz
CVE-2026-33939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-33939 [LOW] CVE-2026-33939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33939 :
Grafana vulnerability analysis and mitigation
{{*n}}
lookupProperty(decorators, "n")
undefined
TypeError: ... is not a function
try/catch
try/catch
compile()
{{*...}}
compile()
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Grafana
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
firefox-x11
grafana-loki
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2
Wiz
GHSA-7rx3-28cr-v5wh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.6
[MEDIUM] GHSA-7rx3-28cr-v5wh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7rx3-28cr-v5wh :
Handlebars vulnerability analysis and mitigation
## Summary
lib/handlebars/internal/proto-access.js
constructor
__defineGetter__
__defineSetter__
__lookupGetter__
__lookupSetter__
allowProtoMethodsByDefault: true
__lookupSetter__
4.6.0
protoAccessControl
allowProtoMethodsByDefault
## Description
lib/handlebars/internal/proto-access.js
const methodWhiteList = Object.create(null);
methodWhiteList['constructor'] = false;
methodWhiteList['__defineGetter__'] = false;
methodWhiteList['__defineSetter__'] = false;
methodWhiteList['__lookupGetter__'] = false;
// __lookupSetter__ intentionally blocked in CVE-2021-23383,
// but omitted here — creating an asymmetric blocklist
__defineGetter__
__defineSetter__
__lookupGetter__
__lookupSetter__
__lookupSe
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jffhttps://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/security/cve/CVE-2026-33939https://bugzilla.redhat.com/show_bug.cgi?id=2452508https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jffhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33939.json
2026-03-27
Published