Arbitrary Code Execution via Dynamic Partial Bypass in Handlebars v4.0.0-4.7.8
CVE-2026-33940 Published on March 27, 2026

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `resolvePartial()` and cause `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). Without `compile()`, the fallback compilation path in `invokePartial` is unreachable. Second, sanitize context data before rendering: Ensure no value in the context is a non-primitive object that could be passed to a dynamic partial. Third, avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled.

NVD

Vulnerability Analysis

CVE-2026-33940 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-33940. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a Code Injection Vulnerability?

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVE-2026-33940 has been classified to as a Code Injection vulnerability or weakness.

What is an Object Type Confusion Vulnerability?

The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

CVE-2026-33940 has been classified to as an Object Type Confusion vulnerability or weakness.


Products Associated with CVE-2026-33940

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 

Affected Versions

handlebars-lang handlebars.js: Red Hat OpenShift Dev Spaces 3.27: Logging Subsystem for Red Hat OpenShift: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Cryostat 4: Red Hat Data Grid 8: Red Hat Enterprise Linux 7: Red Hat OpenShift AI (RHOAI): Red Hat Process Automation 7:

Exploit Probability

EPSS
0.62%
Percentile
44.91%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.