CVE-2026-33938: Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
The @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites @partial-block with a crafted Handlebars AST, a subsequent invocation of {{> @partial-block}} compiles and executes that AST, enabling arbitrary JavaScript execution on the server.
References
- github.com/advisories/GHSA-3mfm-83xf-c92r
- github.com/handlebars-lang/handlebars.js
- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r
- nvd.nist.gov/vuln/detail/CVE-2026-33938
Code Behaviors & Features
Detect and mitigate CVE-2026-33938 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →