CVE-2026-33938 in Handlebarsinformation

Résumé (Anglaise)

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.

Responsable

GitHub_M

Réserver

24/03/2026

Divulgation

27/03/2026

Entrées

VulDB provides additional information and datapoints for this CVE:

IDVulnérabilitéCWEExpConCVE
354036Handlebars compile élévation de privilèges94Non définiCorrectif officielCVE-2026-33938

Description

CPE

CWE

CVSS

Exploits

Histoire

Diff

Relier

Renseignements sur les menaces

API JSON

API XML

API CSV

PrécédentAperçuSuivant

Want to know what is going to be exploited?

We predict KEV entries!