/CVE-2026-33916

CRITICALCVE-2026-33916npmCVSS 9.8

handlebars

Published

Description

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Affected Versions

>=4.0.0

FIXED VERSIONS4.7.9

References

WEBhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23369 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23383 ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33916 WEBhttps://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 PACKAGEhttps://github.com/handlebars-lang/handlebars.js WEBhttps://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 WEBhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33937 WEBhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33938 WEBhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff WEBhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6 WEBhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf

Using handlebars?

Scan your dependencies and detect this automatically on every PR.

Create free account