DEBIAN-CVE-2026-33916

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33916

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33916.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33916

Upstream

CVE-2026-33916

Published

2026-03-27T21:17:27.237Z

Modified

2026-04-03T06:00:17.122707Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial() in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply Object.freeze(Object.prototype) early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (handlebars/runtime), which does not compile templates and reduces the attack surface.

References

https://security-tracker.debian.org/tracker/CVE-2026-33916

Affected packages

Debian:11 / node-handlebars

Package

Name: node-handlebars
Purl: pkg:deb/debian/node-handlebars?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*

3:4.7.6+~4.1.0-2

3:4.7.6+~4.1.0-3

3:4.7.7+~4.1.0-1

3:4.7.9-1

3:4.7.9-2

3:4.7.9-3

3:4.7.9-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33916.json"

Debian:12 / node-handlebars

Package

Name: node-handlebars
Purl: pkg:deb/debian/node-handlebars?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*

3:4.7.7+~4.1.0-1

3:4.7.9-1

3:4.7.9-2

3:4.7.9-3

3:4.7.9-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33916.json"

Debian:13 / node-handlebars

Package

Name: node-handlebars
Purl: pkg:deb/debian/node-handlebars?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*

3:4.7.7+~4.1.0-1

3:4.7.9-1

3:4.7.9-2

3:4.7.9-3

3:4.7.9-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33916.json"

Debian:14 / node-handlebars

Package

Name: node-handlebars
Purl: pkg:deb/debian/node-handlebars?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3:4.7.9-1

Affected versions

3:4.*

3:4.7.7+~4.1.0-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33916.json"