Cyber Resilience

CVE-2026-33941

HighPublic PoCUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0029 20.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33941 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Handlebarsjs Handlebars. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33941 is a code injection vulnerability in the Handlebars CLI precompiler, specifically in `bin/handlebars` and `lib/precompiler.js`, affecting versions 4.0.0 through 4.7.8 of the Handlebars templating library. The precompiler concatenates user-controlled inputs, such as template filenames and CLI options, directly into the emitted JavaScript bundle without escaping or sanitization. This allows injection of arbitrary JavaScript code, which executes when the generated bundle is loaded in a Node.js environment or browser. The vulnerability is rated 8.2 on the CVSS 3.1 scale (AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) and maps to CWE-79 (XSS), CWE-94 (code injection), and CWE-116 (improper encoding).

An attacker with local access and low privileges (PR:L) can exploit this by controlling template filenames or CLI arguments, typically requiring user interaction (UI:R) to invoke the precompiler. Successful exploitation injects malicious JavaScript into the output bundle, achieving remote code execution with high confidentiality, integrity, and availability impacts in the context of the loading environment (S:C), such as a Node.js server or browser runtime during template compilation in build pipelines.

The issue is fixed in Handlebars version 4.7.9, as detailed in the release notes and associated commit. The GitHub security advisory (GHSA-xjpj-3mr7-gcpf) recommends mitigations including validating CLI inputs to reject characters with JavaScript escaping significance (e.g., `"`, `'`, `;`), using fixed trusted namespace strings via configuration files instead of command-line arguments, running the precompiler in a sandboxed environment like a container without write access to sensitive paths, and auditing template filenames in repositories used by automated build pipelines.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it…

more

emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Code injection in Handlebars precompiler directly enables arbitrary JavaScript execution (T1059.007) when the tainted bundle loads; the flaw itself is exploited to achieve that execution (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33940Same product: Handlebarsjs Handlebars
CVE-2026-33938Same product: Handlebarsjs Handlebars
CVE-2026-33937Same product: Handlebarsjs Handlebars
CVE-2026-33939Same product: Handlebarsjs Handlebars
CVE-2026-34585Shared CWE-79, CWE-94
CVE-2026-45375Shared CWE-116, CWE-79
CVE-2026-34448Shared CWE-79, CWE-94
CVE-2026-34725Shared CWE-79, CWE-94
CVE-2026-42090Shared CWE-79, CWE-94
CVE-2026-44482Shared CWE-79, CWE-94

Affected Assets

handlebarsjs
handlebars
4.0.0 — 4.7.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the code injection flaw by requiring timely updates to Handlebars version 4.7.9 or later.

prevent

Enforces validation of user-controlled inputs such as template filenames and CLI options to reject JavaScript-escaping characters and prevent injection.

prevent

Isolates the Handlebars precompiler process in a sandboxed environment to limit exploitation impact by restricting access to sensitive paths.

References