Zero Day MonitorZDM

← Back to list

8.1

CVE-2026-33938EXPLOITEDPATCHED

handlebars-lang · handlebars.js

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Description

A vulnerability has been found in Handlebars up to 4.7.8 and classified as critical. Affected by this vulnerability is the function compile. The manipulation leads to code injection. This vulnerability is referenced as CVE-2026-33938. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

Affected Products

Vendor	Product	Versions
handlebars-lang	handlebars.js	>= 4.0.0, < 4.7.9

References

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r(x_refsource_CONFIRM)
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2(x_refsource_MISC)
https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9(x_refsource_MISC)

Related News (3 articles)

Tier A

Microsoft MSRC6h ago

CVE-2026-33938 Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-33938 | Handlebars up to 4.7.8 compile code injection (GHSA-3mfm-83xf-c92r)

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-33938 | Handlebars up to 4.7.8 compile code injection (GHSA-3mfm-83xf-c92r)

→ No new info (linked only)

CVSS 3.18.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch availablehandlebars@4.7.9

CWECWE-94, CWE-843

PublishedMar 27, 2026

Last enriched3d agov3

Tags

GHSA-3mfm-83xf-c92rnpm

Trending Score60

Source articles3

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-33939EXP

Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

HIGHCVE-2026-33940

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

MEDIUMCVE-2026-33916

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

CRITICALCVE-2026-33937

Handlebars.js has JavaScript Injection via AST Type Confusion

HIGHCVE-2026-33941

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 27, 2026

Discovered by ZDM

Mar 27, 2026

Actively Exploited

Mar 27, 2026

Patch Available

Mar 27, 2026

Updated: severity, activelyExploited

Mar 27, 2026

Updated: description

Mar 28, 2026

Version History

v3

Last enriched 3d ago

v3Tier C3d ago

Updated description with new details about the vulnerability and corrected exploit availability to false.

description

via VulDB

v2Tier C3d ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no specific patch version is provided.

severityactivelyExploited

via VulDB

v13d ago

Initial creation