CVE-2026-33941

HIGH EPSS 20.9%
Published Mar 27, 20263mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 3.1
High
Find Similar
Published Mar 27, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.

CVSS Details

Base Score
8.2
Exploitability
1.5
Impact
6.0
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
20.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 3

CWE-116
CWE-79 Cross-site Scripting Injection
CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 1

VendorProductVersionRange
handlebarsjshandlebars*≥4.0.0  –  <4.7.9

References 3

  • github.com https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
    Patch
  • github.com https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
    Release Notes
  • github.com https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
    Patch