handlebars (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package handlebars, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2026-33937 — CVSS 9.8 (critical): Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()`…
CVE-2019-19919 — CVSS 9.8 (critical): Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an…
CVE-2026-33941 — CVSS 8.2 (high): Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI…
CVE-2026-33938 — CVSS 8.1 (high): Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block`…
CVE-2026-33940 — CVSS 8.1 (high): Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in…
CVE-2019-20920 — CVSS 8.1 (high): Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate…
CVE-2019-20922 — CVSS 7.5 (high): Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an…
CVE-2026-33939 — CVSS 7.5 (high): Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template…
CVE-2015-8861 — CVSS 6.1 (medium): The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a…
CVE-2021-23383 — CVSS 5.6 (medium): The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates…
CVE-2021-23369 — CVSS 5.6 (medium): The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile…
CVE-2026-33916 — CVSS 4.7 (medium): Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the…