GHSA-r4gv-qr8j-p3pg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r4gv-qr8j-p3pg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-r4gv-qr8j-p3pg/GHSA-r4gv-qr8j-p3pg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r4gv-qr8j-p3pg
- Aliases
-
- CVE-2026-55760
- Published
- 2026-06-17T18:42:09Z
- Modified
- 2026-06-17T19:00:18.355274676Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- handlebars.java FileTemplateLoader Path Traversal
- Details
-
Impact
Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources.
Patches
com.github.jknack:handlebars:4.5.2
Workarounds
Validate template name is derived from user input.
if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) { throw new IOException("Path traversal attempt detected: " + location); } - Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2026-06-17T18:42:09Z", "github_reviewed": true, "severity": "HIGH", "cwe_ids": [ "CWE-22" ] }- References
Affected packages
Maven / com.github.jknack:handlebars
Package
- Name
- com.github.jknack:handlebars
- View open source insights on deps.dev
- Purl
- pkg:maven/com.github.jknack/handlebars
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.5.2
Affected versions
0.*
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.6.1
0.6.2
0.7.0
0.8.0
0.9.0
0.10.0
0.11.0
0.12.0
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
3.*
3.0.0
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1
4.3.0
4.3.1
4.4.0
4.5.0
4.5.1