CVE-2026-33938
Published: 27 March 2026
Summary
CVE-2026-33938 is a high-severity Code Injection (CWE-94) vulnerability in Handlebarsjs Handlebars. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the Handlebars flaw by patching to version 4.7.9, directly preventing arbitrary JavaScript execution via crafted @partial-block ASTs.
Mandates secure configuration settings like using Handlebars runtime-only build, which lacks the vulnerable compile() method, and enforcing read-only context in helpers.
Validates untrusted inputs to templates and context data to block crafted Handlebars ASTs from being processed by vulnerable helpers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Handlebars.js server-side template injection (CWE-94) allows unauthenticated remote overwrite of @partial-block with attacker-controlled AST, directly resulting in arbitrary JavaScript execution; this maps to T1190 for initial exploitation of public-facing apps and T1059.007 for JS interpreter abuse.
NVD Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept…
more
arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.
Deeper analysisAI
CVE-2026-33938 is a high-severity vulnerability (CVSS 3.1 score of 8.1) affecting Handlebars.js, a templating engine for building semantic templates, in versions 4.0.0 through 4.7.8. The issue stems from the `@partial-block` special variable being stored in the template data context, making it reachable and mutable from within a template via helpers that accept arbitrary objects. An attacker can overwrite `@partial-block` with a crafted Handlebars Abstract Syntax Tree (AST), and a subsequent invocation of `{{> @partial-block}}` will compile and execute that AST, resulting in arbitrary JavaScript code execution on the server. The vulnerability is associated with CWE-94 (improper control of code generation) and CWE-843 (access of resource using incompatible type).
Exploitation requires network access with no privileges or user interaction (AV:N/AC:H/PR:N/UI:N/S:U), but high attack complexity due to the need for untrusted input to influence templates or context data, combined with helpers that permit arbitrary writes to the context. Attackers can leverage this in scenarios where custom or third-party helpers (e.g., from packages like `handlebars-helpers`) process user-controlled data, enabling remote code execution with high impact on confidentiality, integrity, and availability.
The vulnerability is fixed in Handlebars version 4.7.9, as detailed in the project's security advisory (GHSA-3mfm-83xf-c92r) and release notes. Mitigation workarounds include using the runtime-only build (`require('handlebars/runtime')`), which lacks the vulnerable `compile()` method; auditing registered helpers to ensure they treat context data as read-only and do not write arbitrary values; and avoiding third-party helpers in environments with untrusted template or context input. Relevant patches and details are available in the fix commit and release tag on the Handlebars GitHub repository.
Details
- CWE(s)