Handlebarsjs Handlebars

10 CVEs affecting Handlebarsjs Handlebars. Latest disclosed: 2026-03-27. Critical: 1, High: 6.

Top CVEs affecting Handlebarsjs Handlebars
CVESeverityScorePublishedSummary
CVE-2026-33937Critical9.82026-03-27Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST…
CVE-2026-33941High8.22026-03-27Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars…
CVE-2026-33940High8.12026-03-27Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context…
CVE-2026-33938High8.12026-03-27Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored…
CVE-2019-20920High8.12020-09-30Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attack…
CVE-2026-33939High7.52026-03-27Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator s…
CVE-2019-20922High7.52020-09-30Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while proc…
CVE-2021-23383Medium5.62021-05-04The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untruste…
CVE-2021-23369Medium5.62021-04-12The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an…
CVE-2026-33916Medium4.72026-03-27Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime re…