CVE-2026-33916
- Source
- https://cve.org/CVERecord?id=CVE-2026-33916
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33916.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33916
- Aliases
- Downstream
- Related
- Published
- 2026-03-27T21:00:48.624Z
- Modified
- 2026-04-10T05:43:19.951515Z
- Severity
-
- 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
- Details
-
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8,
resolvePartial()in the Handlebars runtime resolves partial names via a plain property lookup onoptions.partialswithout guarding against prototype-chain traversal. WhenObject.prototypehas been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. ApplyObject.freeze(Object.prototype)early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (handlebars/runtime), which does not compile templates and reduces the attack surface. - Database specific
{ "cwe_ids": [ "CWE-1321", "CWE-79" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33916.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33916.json
- https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
- https://nvd.nist.gov/vuln/detail/CVE-2026-33916