CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Mar 28, 2026

CVE-2026-33939 | Handlebars up to 4.7.8 Template Call compile unusual condition (GHSA-9cx6-37pm-9jff)

VulDB Archived Mar 28, 2026 ✓ Full text saved

A vulnerability categorized as problematic has been discovered in Handlebars up to 4.7.8 . Impacted is the function compile of the component Template Call Handler . Executing a manipulation can lead to improper check for unusual conditions. This vulnerability is registered as CVE-2026-33939 . It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

Full text archived locally
✦ AI Summary · Claude Sonnet

    VDB-354041 · CVE-2026-33939 · GHSA-9CX6-37PM-9JFF HANDLEBARS UP TO 4.7.8 TEMPLATE CALL COMPILE UNUSUAL CONDITION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.3 $0-$5k 2.08+ Summaryinfo A vulnerability identified as problematic has been detected in Handlebars up to 4.7.8. The affected element is the function compile of the component Template Call Handler. The manipulation leads to unusual condition. This vulnerability is documented as CVE-2026-33939. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component. Detailsinfo A vulnerability was found in Handlebars up to 4.7.8. It has been rated as problematic. This issue affects the function compile of the component Template Call Handler. The manipulation with an unknown input leads to a unusual condition vulnerability. Using CWE to declare the problem leads to CWE-754. The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. Impacted is availability. The summary by CVE is: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-33939 since 03/24/2026. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are known, but no exploit is available. Upgrading to version 4.7.9 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Name Handlebars Version 4.7.0 4.7.1 4.7.2 4.7.3 4.7.4 4.7.5 4.7.6 4.7.7 4.7.8 License open-source CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.4 VulDB Meta Temp Score: 6.3 VulDB Base Score: 5.3 VulDB Temp Score: 5.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 7.5 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Unusual condition CWE: CWE-754 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: Handlebars 4.7.9 Patch: 68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 Timelineinfo 03/24/2026 CVE reserved 03/27/2026 +3 days Advisory disclosed 03/27/2026 +0 days VulDB entry created 03/27/2026 +0 days VulDB entry last update Sourcesinfo Advisory: GHSA-9cx6-37pm-9jff Status: Confirmed CVE: CVE-2026-33939 (🔒) GCVE (CVE): GCVE-0-2026-33939 GCVE (VulDB): GCVE-100-354041 Entryinfo Created: 03/27/2026 23:47 Changes: 03/27/2026 23:47 (67) Complete: 🔍 Cache ID: 99:E18:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸
    💬 Team Notes
    Article Info
    Source
    VulDB
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Mar 28, 2026
    Archived
    Mar 28, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗