Handlebars — CVE history (npm)
Handlebars
10 CVEs affect the Handlebars npm package (highest CVSS 9.8). Latest disclosed: 2026-03-27. Full CVE history sourced from NVD.
Summary
- Package
Handlebars(npm)- Total CVEs
10- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2026-03-27
Recent CVEs (top 10)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33941 | High | 8.2 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33940 | High | 8.1 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33939 | High | 7.5 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33938 | High | 8.1 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33937 | Critical | 9.8 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33916 | Medium | 4.7 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2021-23383 | Medium | 5.6 | — | 2021-05-04 | The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
CVE-2021-23369 | Medium | 5.6 | — | 2021-04-12 | The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. |
CVE-2019-20922 | High | 7.5 | — | 2020-09-30 | Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. |
CVE-2019-20920 | High | 8.1 | — | 2020-09-30 | Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-33937 | Critical | 9.8 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33941 | High | 8.2 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33940 | High | 8.1 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2026-33938 | High | 8.1 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2019-20920 | High | 8.1 | — | 2020-09-30 | Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. |
CVE-2026-33939 | High | 7.5 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |
CVE-2019-20922 | High | 7.5 | — | 2020-09-30 | Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. |
CVE-2021-23383 | Medium | 5.6 | — | 2021-05-04 | The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
CVE-2021-23369 | Medium | 5.6 | — | 2021-04-12 | The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. |
CVE-2026-33916 | Medium | 4.7 | — | 2026-03-27 | Handlebars provides the power necessary to let users build semantic templates. |