CVE-2026-33916: Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
(updated )
resolvePartial() in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS.
References
- github.com/advisories/GHSA-2qvq-rjwj-gvw9
- github.com/handlebars-lang/handlebars.js
- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
- nvd.nist.gov/vuln/detail/CVE-2021-23369
- nvd.nist.gov/vuln/detail/CVE-2021-23383
- nvd.nist.gov/vuln/detail/CVE-2026-33916
Code Behaviors & Features
Detect and mitigate CVE-2026-33916 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →