Vulnerability DatabaseCVE-2026-33916
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-33916
March 27, 2026
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, "resolvePartial()" in the Handlebars runtime resolves partial names via a plain property lookup on "options.partials" without guarding against prototype-chain traversal. When "Object.prototype" has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply "Object.freeze(Object.prototype)" early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build ("handlebars/runtime"), which does not compile templates and reduces the attack surface.
Affected Packages
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
https://github.com/handlebars-lang/handlebars.js.git (GITHUB):
Affected version(s) >=v4.0.0 <v4.7.9
Fix Suggestion:
Update to version v4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
handlebars (NPM):
Affected version(s) >=4.0.0 <4.7.9
Fix Suggestion:
Update to version 4.7.9
Related Resources (7)
https://github.com/handlebars-lang/handlebars.js
https://nvd.nist.gov/vuln/detail/CVE-2021-23369
https://nvd.nist.gov/vuln/detail/CVE-2026-33916
https://nvd.nist.gov/vuln/detail/CVE-2021-23383
https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1321
EPSS
Base Score:
0.03