handlebars
npm11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting handlebarspage 1 of 1
- CVE-2015-8861MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.0.02017-01-23
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
- CVE-2019-19919CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.82019-12-20
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code …
- CVE-2019-20920HIGHCVSS 8.1EG 8.1✓ Fixed in 4.5.32020-09-30
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to r…
- CVE-2019-20922HIGHCVSS 7.5EG 7.5✓ Fixed in 4.4.52020-09-30
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
- CVE-2021-23369MEDIUMCVSS 5.6EG 5.6✓ Fixed in 4.7.72021-04-12
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
- CVE-2021-23383MEDIUMCVSS 5.6EG 5.6✓ Fixed in 4.7.72021-05-04
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
- CVE-2026-33937CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.7.92026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral`…
- CVE-2026-33938HIGHCVSS 8.1EG 8.1✓ Fixed in 4.7.92026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a templat…
- CVE-2026-33939HIGHCVSS 7.5EG 7.5✓ Fixed in 4.7.92026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled templa…
- CVE-2026-33940HIGHCVSS 8.1EG 8.1✓ Fixed in 4.7.92026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartia…
- CVE-2026-33941HIGHCVSS 8.2EG 8.2✓ Fixed in 4.7.92026-03-27
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file…
Check whether handlebars is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for handlebars CVEs against the assets you own.
Start Free Scan →