SB2026040261 - Multiple vulnerabilities in handlebars.js
Published: April 2, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Prototype pollution (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information and modify data.
The vulnerability exists due to improper access control in lib/handlebars/internal/proto-access.js when processing templates with the non-default allowProtoMethodsByDefault option enabled. A remote attacker can access the __lookupSetter__ prototype method to disclose sensitive information and modify data.
This issue affects the prototype method blocklist because __lookupSetter__ is omitted while related accessor helper methods remain blocked. The default configuration is not affected, and exploitation is only possible when allowProtoMethodsByDefault is explicitly set to true.
2) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: N/A)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to a time-of-check time-of-use race condition in the container.lookup function in lib/handlebars/runtime.js when processing property lookups with the compat compile option enabled. A remote attacker can trigger a crafted property lookup to disclose sensitive information.
This issue affects handlebars.js when {compat: true} enables depthedLookup, and the vulnerable code validates access through lookupProperty() but then performs a separate raw property read.
3) Cross-site scripting (CVE-ID: CVE-2026-33916)
The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in resolvePartial() and invokePartial() in the Handlebars runtime when rendering a partial whose name is resolved through a polluted prototype chain. A remote attacker can pollute Object.prototype with a string value matching a partial reference to execute arbitrary script code in a victim's browser.
Exploitation requires a prototype pollution condition in the target application and user interaction to render a template that references the attacker-chosen partial name. The injected partial content is rendered without HTML escaping, which can result in reflected or stored cross-site scripting.
4) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2026-33939)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper check for unusual or exceptional conditions in template compilation in lib/handlebars/compiler/javascript-compiler.js when processing user-supplied templates containing decorator syntax that references an unregistered decorator. A remote attacker can submit a specially crafted template to cause a denial of service.
The issue occurs because the compiled template invokes the result of lookupProperty(decorators, ...) as a function even when it is undefined, leading to an unhandled TypeError that can crash the Node.js process. It affects applications that compile user-supplied templates at request time.
5) Code Injection (CVE-ID: CVE-2026-33941)
The vulnerability allows a local user to execute arbitrary JavaScript code.
The vulnerability exists due to improper neutralization of user-controlled input in the Handlebars CLI precompiler when generating JavaScript output from template file names and CLI options. A local user can supply specially crafted template names or option values to execute arbitrary JavaScript code.
The issue affects bin/handlebars and lib/precompiler.js through multiple injection points involving template names, namespace values, CommonJS paths, and AMD paths, and the injected code executes when the generated bundle is loaded in Node.js or a browser. User interaction is required to load the generated bundle.
6) Code Injection (CVE-ID: CVE-2026-33937)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in Handlebars.compile() and the JavaScript code generator when processing a crafted pre-parsed AST object. A remote attacker can supply a crafted AST with a malicious NumberLiteral value to execute arbitrary code.
The issue affects cases where user-controlled JSON or other untrusted input is deserialized and passed directly to compile() as an AST object instead of a template string, and no user interaction is required.
7) Code Injection (CVE-ID: CVE-2026-33938)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to code injection through type confusion in the @partial-block handling and dynamic compilation fallback when processing a tampered @partial-block value during partial invocation. A remote attacker can overwrite @partial-block with a crafted Handlebars AST to execute arbitrary code.
The issue affects handlebars.js when templates can reach and mutate the data frame, and a subsequent {{> @partial-block}} causes the crafted AST to be compiled and executed in the server process.
8) Code Injection (CVE-ID: CVE-2026-33940)
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation caused by type confusion in dynamic partial handling in lib/handlebars/runtime.js when processing a dynamic partial lookup that returns a crafted object from the template context. A remote attacker can supply a crafted object as the looked-up dynamic partial value to execute arbitrary code.
The issue affects server-side rendering scenarios in which user-controlled context data can be returned by a dynamic partial lookup, such as {{> (lookup . "key")}}. Exploitation requires control over a value returned by the dynamic partial lookup.
Remediation
Install update from vendor's website.
References
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-7rx3-28cr-v5wh
- https://github.com/advisories/GHSA-7rx3-28cr-v5wh
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
- https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
- https://github.com/advisories/GHSA-9cx6-37pm-9jff
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
- https://github.com/advisories/GHSA-3mfm-83xf-c92r
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
- https://github.com/advisories/GHSA-xhpv-hc6g-r9c6