CVE Catalog

CVE-2026-33937

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.74%

75th percentile - higher than 75% of all known CVEs

Summary

A vulnerability in Handlebars versions 4.0.0 through 4.7.8 allows remote code execution (RCE) by supplying a crafted AST object to the `compile()` function. An attacker can inject arbitrary JavaScript because the `NumberLiteral` value is emitted without sanitization.

Risk Assessment

The risk for the organization is critical – a remote attacker can take over the server by executing arbitrary code in the application context, compromising data confidentiality, integrity, and availability.

Recommendation

Immediately update Handlebars to version 4.7.9 or later. As a temporary workaround, validate that the argument to `compile()` is a `string`, not an object, or use the runtime-only build (`handlebars/runtime`) on the server.

Original NVD description (English source)

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS