CVE-2026-33940

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33940
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33940.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33940
Aliases
Downstream
Related
Published
2026-03-27T21:11:10.719Z
Modified
2026-04-10T05:43:19.980111Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in resolvePartial() and cause invokePartial() to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile(). Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (require('handlebars/runtime')). Without compile(), the fallback compilation path in invokePartial is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ({{> (lookup ...)}}) when context data is user-controlled.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33940.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-843",
        "CWE-94"
    ]
}
References

Affected packages

Git / github.com/handlebars-lang/handlebars.js

Affected ranges

Type
GIT
Repo
https://github.com/handlebars-lang/handlebars.js
Events
Introduced
bff5fab8f9d42e21950be00dcf1cedf4dc1a565b
Fixed
dce542c9a660048d31f0981ac8a45c08b919bddb
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.7.9"
        }
    ]
}

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.1
v4.1.2
v4.1.2-0
v4.2.0
v4.2.1
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.7.7
v4.7.8

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33940.json"