Remote Code Execution via Handlebars.compile in 4.0.04.7.8
CVE-2026-33937 Published on March 27, 2026

Handlebars.js has JavaScript Injection via AST Type Confusion
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.

NVD

Vulnerability Analysis

CVE-2026-33937 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is an Object Type Confusion Vulnerability?

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

CVE-2026-33937 has been classified to as an Object Type Confusion vulnerability or weakness.

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-33937 has been classified to as a Code Injection vulnerability or weakness.


Products Associated with CVE-2026-33937

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 

Affected Versions

handlebars-lang handlebars.js: Red Hat Cluster Observability Operator 1.5.0: Red Hat OpenShift Dev Spaces 3.27: Logging Subsystem for Red Hat OpenShift: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Cryostat 4: Red Hat Data Grid 8: Red Hat Enterprise Linux 7: Red Hat OpenShift AI (RHOAI): Red Hat Process Automation 7:

Exploit Probability

EPSS
1.29%
Percentile
66.40%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.