VDB

CVE-2026-33916

CVE-2026-33916 PUBLISHED CVSS 4.699999809265137 MEDIUM

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface.

EPSS 0.06% · 19.6th percentile

Risk Scores

CVSS v3.1
4.699999809265137
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
0.06%
19.6th percentile

Affected Products

VendorProductVersions
handlebarsjshandlebars4.0.0
handlebars-langhandlebars.js>= 4.0.0, < 4.7.9, >= 4.0.0, < 4.7.9, >= 4.0.0, < 4.7.9
npmhandlebars4.0.0, 4.0.0, 4.0.0
AWSconnect

Timeline

  • Mar 26, 2026 CVE Published
  • Mar 27, 2026 CVE Updated
  • Mar 27, 2026 Security Advisory
  • Mar 27, 2026 Security Advisory
  • Mar 27, 2026 Security Advisory
  • Mar 27, 2026 PoC Published
  • Mar 28, 2026 EPSS Score
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score

References

…and 3 more

Open in Interactive Console →
$ Console Community · 100/wk Open console ›