CVE-2026-55760

Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources.

com.github.jknack:handlebars:4.5.2

Validate template name is derived from user input.

if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) {
    throw new IOException("Path traversal attempt detected: " + location);
}