CVE-2026-33937: Handlebars.js has JavaScript Injection via AST Type Confusion
Handlebars.compile() accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile() can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.
References
- github.com/advisories/GHSA-2w6w-674q-4c4q
- github.com/handlebars-lang/handlebars.js
- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
- nvd.nist.gov/vuln/detail/CVE-2026-33937
Code Behaviors & Features
Detect and mitigate CVE-2026-33937 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →