Home / Vulnerability Intelligence / CVE-2026-33937

CVE-2026-33937 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 30, 2026

Handlebars - Remote Code Execution

Published: March 27, 2026Updated: March 30, 2026PoC AvailableRemote Exploitable

Overview

Handlebars 4.0.0 through 4.7.8 contains a remote code execution caused by unsanitized NumberLiteral AST node value in Handlebars.compile(), letting attackers inject and execute arbitrary JavaScript, exploit requires attacker to supply crafted AST.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 25.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript on the server, leading to full remote code execution and server compromise.

Mitigation

Upgrade to version 4.7.9 or later.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 27, 2026

⚠️ CRITICAL: handlebars.js v4.0.0 – 4.7.8 vulnerable (CVE-2026-33937). Type confusion in compile() lets attackers inject JS & gain RCE via crafted AST. Upgrade to 4.7.9+, validate inputs, use runtime-only build if possible. https://radar.offseq.com/threat/cve-2026-33937-cwe-843-access-of-resource-using-in-5708b559 #OffSeq #CVE202633937 #infosec

View original post

GitHub Repositories(1 repo)

https://github.com/dinhvaren/cve-2026-33937

Related Resources

Details

CVE ID: CVE-2026-33937
Severity: Critical
CVSS Score: 9.8
Type: template_injection
Status: unconfirmed
EPSS: 25.0%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

25.0%Probability of exploitation in the next 30 days