| CVE-2015-8861 |
medium |
6.1 |
6.1 |
|
|
|
10y ago |
The handlebars package before 4.0.0 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted. |
| CVE-2026-33941 |
unknown |
— |
— |
|
|
|
2mo ago |
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates u… |
| CVE-2026-33940 |
unknown |
— |
— |
|
|
|
2mo ago |
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context can bypass all conditional guards in `r… |
| CVE-2026-33939 |
unknown |
— |
— |
|
|
|
2mo ago |
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decora… |
| CVE-2026-33938 |
unknown |
— |
— |
|
|
|
2mo ago |
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is rea… |
| CVE-2026-33937 |
unknown |
— |
— |
|
|
|
2mo ago |
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string… |
| CVE-2026-33916 |
unknown |
— |
— |
|
|
|
2mo ago |
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain propert… |
| CVE-2019-20922 |
unknown |
— |
— |
|
|
|
4y ago |
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow… |
| CVE-2019-20920 |
unknown |
— |
— |
|
|
|
4y ago |
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arb… |
| CVE-2021-23383 |
unknown |
— |
— |
|
|
|
5y ago |
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
| CVE-2021-23369 |
unknown |
— |
— |
|
|
|
5y ago |
Remote code execution in handlebars when compiling templates |
| CVE-2019-19919 |
unknown |
— |
— |
|
|
|
7y ago |
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allo… |