CVE-2026-33940
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in resolvePartial() and cause invokePartial() to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile(). Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (require('handlebars/runtime')). Without compile(), the fallback compilation path in invokePartial is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups ({{> (lookup ...)}}) when context data is user-controlled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
handlebarsnpm | >= 4.0.0, < 4.7.9 | 4.7.9 |
Affected products
46- osv-coords45 versionspkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-19.0pkg:apk/chainguard/gitlab-rails-ce-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-19.0pkg:apk/chainguard/gitlab-rails-ce-fips-19.1pkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/lernapkg:apk/chainguard/nextcloud-server-32pkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/pelias-apipkg:apk/chainguard/prismpkg:apk/chainguard/rancher-api-uipkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/ts-patchpkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-security-plugin-fipspkg:apk/wolfi/lernapkg:apk/wolfi/nextcloud-server-32pkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/rancher-api-uipkg:apk/wolfi/ts-patchpkg:npm/handlebars
< 18.11.6-r2+ 44 more
- (no CPE)range: < 18.11.6-r2
- (no CPE)range: < 19.0.3-r1
- (no CPE)range: < 18.1.6-r15
- (no CPE)range: < 18.11.6-r1
- (no CPE)range: < 19.0.3-r1
- (no CPE)range: < 19.1.1-r1
- (no CPE)range: < 8.17.10-r15
- (no CPE)range: < 8.17.10-r15
- (no CPE)range: < 8.17.10-r15
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.19.13-r5
- (no CPE)range: < 8.19.13-r5
- (no CPE)range: < 8.19.13-r5
- (no CPE)range: < 9.0.8-r16
- (no CPE)range: < 9.0.8-r16
- (no CPE)range: < 9.0.8-r16
- (no CPE)range: < 9.1.10-r9
- (no CPE)range: < 9.1.10-r9
- (no CPE)range: < 9.2.7-r2
- (no CPE)range: < 9.2.7-r2
- (no CPE)range: < 9.3.2-r2
- (no CPE)range: < 9.3.2-r2
- (no CPE)range: < 9.0.7-r2
- (no CPE)range: < 32.0.12-r1
- (no CPE)range: < 2.19.5-r5
- (no CPE)range: < 2.19.5-r4
- (no CPE)range: < 3.5.0-r12
- (no CPE)range: < 3.5.0-r9
- (no CPE)range: < 7.6.0-r5
- (no CPE)range: < 5.14.3-r13
- (no CPE)range: < 1.2.3-r8
- (no CPE)range: < 5.5.0-r11
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: < 4.14.4-r1
- (no CPE)range: < 4.14.5-r8
- (no CPE)range: < 9.0.7-r2
- (no CPE)range: < 32.0.12-r1
- (no CPE)range: < 2.19.5-r5
- (no CPE)range: < 3.5.0-r12
- (no CPE)range: < 5.14.3-r13
- (no CPE)range: < 1.2.3-r8
- (no CPE)range: < 4.0.1-r0
- (no CPE)range: >= 4.0.0, < 4.7.9
Patches
Vulnerability mechanics
References
5- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2nvdPatchWEB
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-xhpv-hc6g-r9c6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33940ghsaADVISORY
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.