Handlebars

This hub aggregates every CVE we track for Handlebars, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 12 most recently published vulnerabilities affecting Handlebars.

• CVE-2026-33941Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options8.2Mar 27, 2026
• CVE-2026-33940Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial8.1Mar 27, 2026
• CVE-2026-33939Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation7.5Mar 27, 2026
• CVE-2026-33938Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block8.1Mar 27, 2026
• CVE-2026-33937Handlebars.js has JavaScript Injection via AST Type Confusion9.8Mar 27, 2026
• CVE-2026-33916Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection4.7Mar 27, 2026
• CVE-2021-23383Prototype Pollution5.6May 4, 2021
• CVE-2021-23369Remote Code Execution (RCE)5.6Apr 12, 2021
• CVE-2019-20920Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute a...8.1Sep 30, 2020
• CVE-2019-20922Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may all...7.5Sep 30, 2020
• CVE-2019-19919Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may al...9.8Dec 20, 2019
• CVE-2015-8861The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.6.1Jan 23, 2017