CVE-2026-33940: Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
(updated )
A crafted object placed in the template context can bypass all conditional guards in resolvePartial() and cause invokePartial() to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile(). Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires the adversary to control a value that can be returned by a dynamic partial lookup.
References
- github.com/advisories/GHSA-xhpv-hc6g-r9c6
- github.com/handlebars-lang/handlebars.js
- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6
- nvd.nist.gov/vuln/detail/CVE-2026-33940
Code Behaviors & Features
Detect and mitigate CVE-2026-33940 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →