CVE-2026-33916

Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8

Description Handlebars is a templating engine that allows users to build semantic templates. Versions 4.0.0 through 4.7.8 contain a flaw in the resolvePartial() function within the Handlebars runtime. This function resolves partial names using a property lookup on options.partials without preventing prototype chain traversal. If Object.prototype is polluted with a string value matching a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, potentially leading to reflected or stored cross-site scripting (XSS).

Recommendations Update to version 4.7.9 or later. Apply Object.freeze(Object.prototype) early in application startup. Use the Handlebars runtime-only build (handlebars/runtime).