Description

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface.

INFO

Published Date :

2026-03-27T21:00:48.624Z

Last Modified :

2026-03-30T15:41:36.977Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33916 vulnerability.

Vendors Products
Handlebarsjs
  • Handlebars
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33916.

URL Resource
https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 cve-icon cve-icon cve-icon
https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9 cve-icon cve-icon cve-icon
https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-33916 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-33916 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact