CVE-2026-33916

Exploit

EPSS 0.06%
Veröffentlicht 27.03.2026 21:00:48
Zuletzt bearbeitet 31.03.2026 17:48:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype  pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates  and reduces the attack surface.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Handlebarsjs ≫ Handlebars SwPlatformnode.js Version >= 4.0.0 < 4.7.9

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.192

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.7	1.6	2.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.7	1.6	2.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9

Vendor Advisory

Exploit

https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2

Patch

https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-33916

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33916

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33916

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33916