Handlebarsjs Handlebars vulnerabilities

CVE-2026-33937 [CRITICAL] CWE-94 CVE-2026-33937: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 thr Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who ca

CVE-2026-33938 [HIGH] CWE-94 CVE-2026-33938: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 thr Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AS

CVE-2026-33939 [HIGH] CWE-754 CVE-2026-33939: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 thr Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the re

CVE-2026-33940 [HIGH] CWE-94 CVE-2026-33940: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 thr Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be

CVE-2026-33941 [HIGH] CWE-79 CVE-2026-33941: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 thr Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An atta

CVE-2026-33916 [MEDIUM] CWE-79 CVE-2026-33916: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 thr Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose ke

CVE-2021-23383 [CRITICAL] CWE-1321 CVE-2021-23383: The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain com The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

CVE-2021-23369 [CRITICAL] CVE-2021-23369: The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting cer The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

CVE-2019-20920 [HIGH] CWE-94 CVE-2019-20920: Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup h Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS)

CVE-2019-20922 [HIGH] CWE-400 CVE-2019-20922: Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matchin Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

CVE-2019-19919 [CRITICAL] CWE-1321 Prototype Pollution in handlebars Prototype Pollution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' `__proto__` and `__defineGetter__` properties, which may allow an attacker to execute arbitrary code through crafted payloads. ## Recommendation Upgrade to version 3.0.8, 4.3.0 or later.

CVE-2015-8861 [MEDIUM] CWE-79 Cross-Site Scripting in handlebars Cross-Site Scripting in handlebars Versions of `handlebars` prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted. ## Proof of Concept Template: `````` Input: ```{ 'foo' : 'test.com onload=alert(1)'}``` Rendered result: `````` ## Recommendation Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulat