CVE-2026-33941 — Cross-site Scripting in Handlebars
Severity
8.2HIGHNVD
EPSS
0.0%
top 95.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateMar 28
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in No…
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HExploitability: 1.5 | Impact: 6.0
Affected Packages3 packages
Patches
🔴Vulnerability Details
4GHSA▶
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options↗2026-03-27
CVEList▶
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options↗2026-03-27
OSV▶
CVE-2026-33941: Handlebars provides the power necessary to let users build semantic templates↗2026-03-27
OSV▶
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options↗2026-03-27