Handlebarsjs

Handlebars

10 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.2

CVE-2026-33941

Exploit
  • EPSS 0.01%
  • Veröffentlicht 27.03.2026 21:13:15
  • Zuletzt bearbeitet 31.03.2026 17:53:18

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and se...

8.1

CVE-2026-33940

Exploit
  • EPSS 0.03%
  • Veröffentlicht 27.03.2026 21:11:10
  • Zuletzt bearbeitet 31.03.2026 17:51:04

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to ret...

7.5

CVE-2026-33939

Exploit
  • EPSS 0.07%
  • Veröffentlicht 27.03.2026 21:08:24
  • Zuletzt bearbeitet 31.03.2026 17:50:47

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `l...

8.1

CVE-2026-33938

Exploit
  • EPSS 0.05%
  • Veröffentlicht 27.03.2026 21:05:42
  • Zuletzt bearbeitet 31.03.2026 20:16:27

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpe...

9.8

CVE-2026-33937

Exploit
  • EPSS 0.23%
  • Veröffentlicht 27.03.2026 21:03:46
  • Zuletzt bearbeitet 31.03.2026 17:49:05

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node i...

4.7

CVE-2026-33916

Exploit
  • EPSS 0.06%
  • Veröffentlicht 27.03.2026 21:00:48
  • Zuletzt bearbeitet 31.03.2026 17:48:27

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding aga...

9.8

CVE-2021-23383

Exploit
  • EPSS 5.67%
  • Veröffentlicht 04.05.2021 09:15:07
  • Zuletzt bearbeitet 21.11.2024 05:51:36

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

9.8

CVE-2021-23369

Exploit
  • EPSS 3.58%
  • Veröffentlicht 12.04.2021 14:15:14
  • Zuletzt bearbeitet 21.11.2024 05:51:35

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

7.8

CVE-2019-20922

  • EPSS 0.29%
  • Veröffentlicht 30.09.2020 18:15:18
  • Zuletzt bearbeitet 21.11.2024 04:39:41

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

8.1

CVE-2019-20920

Exploit
  • EPSS 0.34%
  • Veröffentlicht 30.09.2020 18:15:17
  • Zuletzt bearbeitet 21.11.2024 04:39:41

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrar...