CVE-2026-33938

Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8

Description Handlebars allows users to build semantic templates. A flaw exists where the @partial-block special variable is stored in the template data context and is mutable from within a template via helpers that accept arbitrary objects. If a helper overwrites @partial-block with a crafted Handlebars Abstract Syntax Tree (AST), a subsequent invocation of {{> @partial-block}} compiles and executes that AST, potentially enabling arbitrary JavaScript execution on the server. The handlebars-helpers npm package includes helpers that can be used to overwrite the @partial-block variable. The vulnerability occurs because the data frame is a mutable object, allowing attackers to control the value of @partial-block. When {{> @partial-block}} is evaluated, the runtime dynamically compiles the value, and if it's a well-formed Handlebars AST containing injected code, the injected JavaScript runs in the server process.

Recommendations Use the runtime-only build (require('handlebars/runtime')). Audit registered helpers for any that write arbitrary values to context objects. Avoid registering helpers from third-party packages in contexts where templates or context data can be influenced by untrusted input.