PatchSiren

handlebars-lang CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH handlebars-lang CVE published 2026-03-27

CVE-2026-33938

CVE-2026-33938 is a high-severity vulnerability in Handlebars, a popular templating engine for Node.js. The vulnerability allows for arbitrary JavaScript code execution on the server due to improper handling of the `@partial-block` special variable. This variable is stored in the template data context and can be overwritten by helpers that accept arbitrary objects, leading to code injection. The issue aff [truncated]

CRITICAL handlebars-lang CVE published 2026-03-27

CVE-2026-33937

CVE-2026-33937 is a critical vulnerability in Handlebars, a popular templating engine for Node.js. The vulnerability allows for Remote Code Execution (RCE) and has a CVSS score of 9.8. It affects Handlebars versions 4.0.0 through 4.7.8. An attacker can exploit this vulnerability by supplying a crafted Abstract Syntax Tree (AST) to the `Handlebars.compile()` function, which can lead to arbitrary JavaScript [truncated]