CVE-2026-33938 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: March 27, 2026
Handlebars - Server-Side Template Injection
Overview
Handlebars 4.0.0 through 4.7.8 contains a server-side template injection caused by mutable @partial-block variable in template data context, letting attackers execute arbitrary JavaScript on the server, exploit requires crafted helper overwriting @partial-block.
Severity & Score
Impact
Attackers can execute arbitrary JavaScript code on the server, potentially leading to full server compromise.
Mitigation
Upgrade to version 4.7.9 or later; use runtime-only build and audit helpers to avoid mutable context.
References
Social Media Activity(2 posts)
š CVE-2026-33938 - High (8.1) Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via he... š https://www.thehackerwire.com/vulnerability/CVE-2026-33938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-33938 - High (8.1) Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via he... š https://www.thehackerwire.com/vulnerability/CVE-2026-33938/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33938
- Severity
- High
- CVSS Score
- 8.1
- Type
- template_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H