VYPR
Vendor

Handlebarsjs

Products
2
CVEs
7
Across products
7
Status
Private

Products

2

Recent CVEs

7
  • CVE-2026-33937CriMar 27, 2026
    risk 0.57cvss 9.8epss 0.01

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the…

  • CVE-2026-33941HigMar 27, 2026
    risk 0.46cvss 8.2epss 0.00

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options —…

  • CVE-2026-33940HigMar 27, 2026
    risk 0.46cvss 8.1epss 0.01

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The…

  • CVE-2026-33938HigMar 27, 2026
    risk 0.46cvss 8.1epss 0.01

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary…

  • CVE-2026-33939HigMar 27, 2026
    risk 0.42cvss 7.5epss 0.01

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators,…

  • CVE-2015-8861MedJan 23, 2017
    risk 0.33cvss 6.1epss 0.03

    The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.

  • CVE-2026-33916MedMar 27, 2026
    risk 0.24cvss 4.7epss 0.00

    Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain…