Browse all 6 CVE security advisories affecting handlebars-lang. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Handlebars-lang is a popular templating language primarily used for generating dynamic HTML by combining templates with data. Historically, it has been susceptible to cross-site scripting (XSS) vulnerabilities due to improper output encoding, and remote code execution (RCE) through prototype pollution or sandbox escapes. While no major public incidents have been widely documented, the six CVEs on record highlight consistent security concerns around template rendering and input validation. Its server-side rendering approach introduces risks when untrusted data is processed, making proper context escaping critical. The library's widespread adoption in web frameworks increases its potential attack surface, necessitating strict input sanitization and secure configuration practices.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-33941 | Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options — handlebars.jsCWE-79 | 8.3 | High | 2026-03-27 |
| CVE-2026-33940 | Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial — handlebars.jsCWE-94 | 8.1 | High | 2026-03-27 |
| CVE-2026-33939 | Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation — handlebars.jsCWE-754 | 7.5 | High | 2026-03-27 |
| CVE-2026-33938 | Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block — handlebars.jsCWE-94 | 8.1 | High | 2026-03-27 |
| CVE-2026-33937 | Handlebars.js has JavaScript Injection via AST Type Confusion — handlebars.jsCWE-843 | 9.8 | Critical | 2026-03-27 |
| CVE-2026-33916 | Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection — handlebars.jsCWE-79 | 4.7 | Medium | 2026-03-27 |
This page lists every published CVE security advisory associated with handlebars-lang. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.