{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33916", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-27T21:00:48.624Z", "dateUpdated": "2026-03-30T15:41:36.977Z"}, "containers": {"cna": {"title": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"}, {"name": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "tags": ["x_refsource_MISC"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"}, {"name": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}], "affected": [{"vendor": "handlebars-lang", "product": "handlebars.js", "versions": [{"version": ">= 4.0.0, < 4.7.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:00:48.624Z"}, "descriptions": [{"lang": "en", "value": "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface."}], "source": {"advisory": "GHSA-2qvq-rjwj-gvw9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:41:27.326408Z", "id": "CVE-2026-33916", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:41:36.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33916", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:41:27.326408Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:41:32.546Z"}}], "cna": {"title": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection", "source": {"advisory": "GHSA-2qvq-rjwj-gvw9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "handlebars-lang", "product": "handlebars.js", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.7.9"}]}], "references": [{"url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9", "name": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "name": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "name": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:00:48.624Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33916", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:41:36.977Z", "dateReserved": "2026-03-24T15:41:47.492Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:00:48.624Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A9D1F9A7-8359-4C3F-9932-4A085094F388", "versionEndExcluding": "4.7.9", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface."}], "id": "CVE-2026-33916", "lastModified": "2026-03-31T17:48:27.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T21:17:27.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution", "id": "2452509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452509"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-915", "details": ["A flaw was found in Handlebars. The `resolvePartial()` function in the Handlebars runtime does not properly guard against prototype-chain traversal when resolving partial names. This allows an attacker to inject malicious code into web pages. When `Object.prototype` has been polluted with a string value that matches a partial reference, the polluted string is used as the partial body and rendered without proper HTML escaping. This can result in reflected or stored Cross-Site Scripting (XSS), potentially leading to arbitrary code execution in a user's browser or information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, apply `Object.freeze(Object.prototype)` early in the application startup to prevent prototype pollution. Alternatively, use the Handlebars runtime-only build (`handlebars/runtime`), which reduces the attack surface by not compiling templates. Be aware that applying `Object.freeze(Object.prototype)` may impact the functionality of other libraries within the application. Applications utilizing Handlebars may require a restart for these changes to take effect."}, "name": "CVE-2026-33916", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "handlebars", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-operator-bundle", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-proxy-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/elasticsearch-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Fix deferred", "package_name": "openshift-logging/logging-curator5-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "handlebars", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "389-ds:1.4/389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mozjs60", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "handlebars", "product_name": "Red Hat Process Automation 7"}], "public_date": "2026-03-27T21:00:48Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33916\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33916\nhttps://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2\nhttps://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9\nhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9"], "statement": "Moderate: This vulnerability in Handlebars allows for Cross-Site Scripting (XSS) when an application uses Handlebars versions 4.0.0 through 4.7.8 and is susceptible to prototype pollution. An attacker could inject malicious code into web pages, potentially leading to arbitrary code execution in a user's browser or information disclosure. This affects Red Hat products that embed or utilize vulnerable versions of the Handlebars library.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.7.9)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "handlebars.js", "source": "cna", "vendor": "handlebars-lang"}, "product": "handlebars", "vendor": "handlebarsjs"}], "analysis": {"en": {"generated_at": "2026-03-31T19:42:51.181475+00:00", "value": {"mitigation_remediation": ["Upgrade Handlebars.js to version 4.7.9 or later.", "If an upgrade is not immediately possible, add Object.freeze(Object.prototype) at application startup to prevent further prototype pollution.", "Consider migrating to the Handlebars runtime\u2011only build (handlebars/runtime) which does not compile templates and reduces the attack surface."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting via unescaped prototype\u2011polluted parts"}, "threat_synthesis": {"affected_systems": "The vulnerability affects projects that use Handlebars.js versions 4.0.0 through 4.7.8, including any Node.js applications that depend on the handlebars-lang:handlebars.js library. Versions starting at 4.7.9 are not impacted.", "description_and_impact": "Handlebars.js versions 4.0.0 through 4.7.8 allow an attacker to inject a specially crafted property into Object.prototype. When the runtime resolves a partial name, it performs a plain property lookup on options.partials without guarding against prototype\u2011chain traversal. If Object.prototype contains a string value whose key matches a partial reference, that string is used as the partial body and rendered without HTML escaping, leading to reflected or stored XSS. The weakness is a Prototype Pollution flaw (CWE\u20111321) combined with a Reflected XSS condition (CWE\u201179).", "risk_and_exploitability": "The CVSS score is 4.7, indicating a low to moderate severity, and the EPSS score is below 1%, suggesting a low exploitation probability in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to supply a template that references the polluted partial name; once executed, the malicious payload can execute arbitrary JavaScript within the victim\u2019s browser context. The attack can be carried out from the client side if an attacker controls template rendering, making it a practical risk in web applications that allow dynamic template injection."}}}}, "created": "2026-03-29T20:29:52.596270+00:00", "updated": "2026-03-31T20:00:42.661093+00:00", "vendors": ["handlebarsjs", "handlebarsjs$PRODUCT$handlebars"]}