Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
Summary
| CVE | CVE-2026-33941 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-27 22:16:21 UTC |
| Updated | 2026-07-15 02:20:26 UTC |
| Description | Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline. |
Risk And Classification
Primary CVSS: v3.1 8.2 HIGH from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS: 0.002910000 probability, percentile 0.210140000 (date 2026-07-16)
Problem Types: CWE-79 | CWE-94 | CWE-116 | CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CWE-94 CWE-94: Improper Control of Generation of Code ('Code Injection') | CWE-116 CWE-116: Improper Encoding or Escaping of Output | CWE-94 Improper Control of Generation of Code ('Code Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | ADP | CVSS | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 8.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Handlebarsjs | Handlebars | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Handlebars-lang | Handlebars.js | affected >= 4.0.0, < 4.7.9 | Not specified |
| ADP | Red Hat | Cluster Observability Operator 1.5.0 | unaffected 1782839279 * rpm | Not specified |
| ADP | Red Hat | Cluster Observability Operator 1.5.0 | unaffected 1782840539 * rpm | Not specified |
| ADP | Red Hat | Cluster Observability Operator 1.5.0 | unaffected 1782839996 * rpm | Not specified |
| ADP | Red Hat | Red Hat OpenShift Dev Spaces 3.27 | unaffected 1776744110 * rpm | Not specified |
| ADP | Red Hat | Cryostat 4 | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat Process Automation 7 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-33941 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33941.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3... | [email protected] | github.com | Exploit, Vendor Advisory |
| github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 | [email protected] | github.com | Release Notes |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:10175 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c... | [email protected] | github.com | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-27T22:02:54.583Z | Reported to Red Hat. |
| ADP | 2026-03-27T21:13:15.437Z | Made public. |
Solutions
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:10175: Red Hat OpenShift Dev Spaces 3.27
Workarounds
ADP: To mitigate this issue, ensure all inputs to the Handlebars CLI precompiler are thoroughly validated, rejecting characters with JavaScript string-escaping significance (e.g., \" , \' , ;). For automated build pipelines, configure a fixed and trusted namespace string via a configuration file rather than passing it through command-line arguments. Additionally, consider running the precompiler within a sandboxed environment, such as a container with restricted write access, to limit the potential impact of successful exploitation.