Arbitrary JS Exec via @partial-block 4.0.04.7.8 (fixed 4.7.9)
CVE-2026-33938 Published on March 27, 2026

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.

NVD

Vulnerability Analysis

CVE-2026-33938 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-33938. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-33938 has been classified to as a Code Injection vulnerability or weakness.

What is an Object Type Confusion Vulnerability?

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

CVE-2026-33938 has been classified to as an Object Type Confusion vulnerability or weakness.

What is an EL Injection Vulnerability?

The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed.

CVE-2026-33938 has been classified to as an EL Injection vulnerability or weakness.


Products Associated with CVE-2026-33938

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 

Affected Versions

handlebars-lang handlebars.js: Red Hat Cluster Observability Operator 1.5.0: Red Hat OpenShift Dev Spaces 3.27: Logging Subsystem for Red Hat OpenShift: Red Hat Enterprise Linux 8: Red Hat Cryostat 4: Red Hat Data Grid 8: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 9: Red Hat OpenShift AI (RHOAI): Red Hat Process Automation 7:

Exploit Probability

EPSS
0.62%
Percentile
44.83%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.