CVE-2026-33940
Received Received - Intake
Arbitrary Code Execution via Dynamic Partial Injection in Handlebars

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). Without `compile()`, the fallback compilation path in `invokePartial` is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33940
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
handlebarsjs handlebars From 4.0.0 (inc) to 4.7.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Handlebars versions 4.0.0 through 4.7.8. It allows an attacker who can control a value returned by a dynamic partial lookup to bypass all conditional guards in the resolvePartial() function. This causes invokePartial() to return undefined, leading the Handlebars runtime to treat the unresolved partial as a source that needs compilation. The crafted object is a valid Handlebars AST containing injected code, which results in arbitrary JavaScript code execution on the server.

The issue is fixed in version 4.7.9. Workarounds include using the runtime-only build to avoid fallback compilation, sanitizing context data to ensure no non-primitive objects are passed to dynamic partials, and avoiding dynamic partial lookups when context data is user-controlled.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the server where Handlebars is used. An attacker who controls certain input can execute malicious JavaScript code, potentially compromising the server's confidentiality, integrity, and availability.

  • Confidentiality impact: Sensitive data on the server could be exposed.
  • Integrity impact: Attackers could modify data or application behavior.
  • Availability impact: The server or application could be disrupted or taken down.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade Handlebars to version 4.7.9 or later, where the issue is fixed.

  • Use the runtime-only build (require('handlebars/runtime')) to avoid fallback compilation paths.
  • Sanitize context data before rendering to ensure no value in the context is a non-primitive object that could be passed to a dynamic partial.
  • Avoid dynamic partial lookups (e.g., {{> (lookup ...)}}) when context data is user-controlled.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart