CVE-2026-33937 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 27, 2026
Handlebars - Remote Code Execution
Overview
Handlebars 4.0.0 through 4.7.8 contains a remote code execution caused by unsanitized NumberLiteral AST node value in Handlebars.compile(), letting attackers inject and execute arbitrary JavaScript, exploit requires attacker to supply crafted AST.
Severity & Score
Impact
Attackers can execute arbitrary JavaScript on the server, leading to full remote code execution and server compromise.
Mitigation
Upgrade to version 4.7.9 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-33937 - Critical (9.8) Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST nod... š https://www.thehackerwire.com/vulnerability/CVE-2026-33937/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-33937 - Critical (9.8) Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST nod... š https://www.thehackerwire.com/vulnerability/CVE-2026-33937/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33937
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- template_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H