VDB

CVE-2026-33941

CVE-2026-33941 PUBLISHED CVSS 8.300000190734863 HIGH

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

EPSS 0.01% · 0.9th percentile

Risk Scores

CVSS 3.1
8.300000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score
0.01%
0.9th percentile

Affected Products

VendorProductVersions
Cloudflareaccess
handlebars-langhandlebars.js*, >= 4.0.0, < 4.7.9, >= 4.0.0, < 4.7.9
npmhandlebars4.0.0, 4.0.0, 4.0.0
handlebarsjshandlebars4.0.0
AWSconfig

Timeline

  • Mar 27, 2026 CVE Published
  • Mar 27, 2026 PoC Published
  • Mar 27, 2026 PoC Published
  • Mar 28, 2026 EPSS Score
  • Mar 28, 2026 Coalition ESS Score
  • Mar 28, 2026 Security Advisory
  • Mar 30, 2026 CVE Updated
  • Mar 30, 2026 PoC Published
  • Apr 1, 2026 PoC Published
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›