Back to overview

CVE-2026-33937

CRITICAL Exploitation: PoC
9.8
CVSS 3.1
Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.

Metadata

CVE ID
CVE-2026-33937
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-03-24 19:50 UTC
Published
2026-03-27 21:03 UTC
Last updated
2026-04-01 03:55 UTC
Primary CWE
CWE-843
CWE-843: Access of Resource Using Incompatible Type ('Type C…
Vendor / Product
handlebars-lang / handlebars.js
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
handlebars-lang handlebars.js >= 4.0.0, < 4.7.9
Weakness (CWE)
CWESourceDescription
CWE-843 cna CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-94 cna CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References (3)
Back to overview