Zero Day MonitorZDM

← Back to list

8.3

CVE-2026-33941PATCHED

handlebars-lang · handlebars.js

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Description

A vulnerability, classified as problematic, has been found in Handlebars up to 4.7.8. The affected element is an unknown function in the library lib/precompiler.js. This manipulation causes cross site scripting. The identification of this vulnerability is CVE-2026-33941. The attack can only be executed locally. It is advisable to upgrade the affected component.

Affected Products

Vendor	Product	Versions
handlebars-lang	handlebars.js	npm/handlebars: >= 4.0.0, <= 4.7.8

References

https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf(x_refsource_CONFIRM)
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2(x_refsource_MISC)
https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9(x_refsource_MISC)

Related News (3 articles)

Tier A

Microsoft MSRC4h ago

CVE-2026-33941 Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-33941 | Handlebars up to 4.7.8 lib/precompiler.js cross site scripting (GHSA-xjpj-3mr7-gcpf)

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-33941 | Handlebars up to 4.7.8 lib/precompiler.js cross site scripting (GHSA-xjpj-3mr7-gcpf)

→ No new info (linked only)

CVSS 3.18.3 HIGH

VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch availablehandlebars@4.7.9

CWECWE-79, CWE-94, CWE-116

PublishedMar 27, 2026

Last enriched3d agov2

Tags

GHSA-xjpj-3mr7-gcpfnpm

Trending Score39

Source articles3

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-33939EXP

Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

CRITICALCVE-2026-33938EXP

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

HIGHCVE-2026-33940

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

MEDIUMCVE-2026-33916

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

CRITICALCVE-2026-33937

Handlebars.js has JavaScript Injection via AST Type Confusion

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 27, 2026

Discovered by ZDM

Mar 27, 2026

Patch Available

Mar 27, 2026

Updated: description, patchAvailable

Mar 27, 2026

Version History

v2

Last enriched 3d ago

v2Tier C3d ago

Updated description with new details about the vulnerability and clarified that there is no exploit available.

descriptionpatchAvailable

via VulDB

v13d ago

Initial creation