UBUNTU-CVE-2026-33941

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-33941
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33941.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-33941
Upstream
Published
2026-03-27T22:16:00Z
Modified
2026-04-02T21:22:10.713706Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (bin/handlebars / lib/precompiler.js) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (", ', ;, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.

References

Affected packages

Ubuntu:18.04:LTS / node-handlebars

Package

Name
node-handlebars
Purl
pkg:deb/ubuntu/node-handlebars@3:4.0.10-5?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*
3:4.0.10-5

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "handlebars",
            "binary_version": "3:4.0.10-5"
        },
        {
            "binary_name": "libjs-handlebars",
            "binary_version": "3:4.0.10-5"
        },
        {
            "binary_name": "libjs-handlebars.runtime",
            "binary_version": "3:4.0.10-5"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33941.json"

Ubuntu:20.04:LTS / node-handlebars

Package

Name
node-handlebars
Purl
pkg:deb/ubuntu/node-handlebars@3:4.7.2-1?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*
3:4.1.0-1
3:4.5.3-1
3:4.7.2-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "handlebars",
            "binary_version": "3:4.7.2-1"
        },
        {
            "binary_name": "libjs-handlebars",
            "binary_version": "3:4.7.2-1"
        },
        {
            "binary_name": "libjs-handlebars.runtime",
            "binary_version": "3:4.7.2-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33941.json"

Ubuntu:22.04:LTS / node-handlebars

Package

Name
node-handlebars
Purl
pkg:deb/ubuntu/node-handlebars@3:4.7.7+~4.1.0-1?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*
3:4.7.6+~4.1.0-2
3:4.7.7+~4.1.0-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "handlebars",
            "binary_version": "3:4.7.7+~4.1.0-1"
        },
        {
            "binary_name": "libjs-handlebars",
            "binary_version": "3:4.7.7+~4.1.0-1"
        },
        {
            "binary_name": "libjs-handlebars.runtime",
            "binary_version": "3:4.7.7+~4.1.0-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33941.json"

Ubuntu:24.04:LTS / node-handlebars

Package

Name
node-handlebars
Purl
pkg:deb/ubuntu/node-handlebars@3:4.7.7+~4.1.0-1?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*
3:4.7.7+~4.1.0-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "handlebars",
            "binary_version": "3:4.7.7+~4.1.0-1"
        },
        {
            "binary_name": "libjs-handlebars",
            "binary_version": "3:4.7.7+~4.1.0-1"
        },
        {
            "binary_name": "libjs-handlebars.runtime",
            "binary_version": "3:4.7.7+~4.1.0-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33941.json"

Ubuntu:25.10 / node-handlebars

Package

Name
node-handlebars
Purl
pkg:deb/ubuntu/node-handlebars@3:4.7.7+~4.1.0-1?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3:4.*
3:4.7.7+~4.1.0-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "handlebars",
            "binary_version": "3:4.7.7+~4.1.0-1"
        },
        {
            "binary_name": "libjs-handlebars",
            "binary_version": "3:4.7.7+~4.1.0-1"
        },
        {
            "binary_name": "libjs-handlebars.runtime",
            "binary_version": "3:4.7.7+~4.1.0-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-33941.json"