Bug 2452509 (CVE-2026-33916)

Summary: CVE-2026-33916 handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abuckta, cmah, dhanak, dkuc, drosa, eaguilar, ebaron, gotiwari, ibek, jcantril, jgrulich, jhorak, jkoehler, jolong, jrokos, lchilton, lphiri, mnovotny, mvyas, orabin, pjindal, rojacob, sausingh, sdawley, sfeifer, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Handlebars. The `resolvePartial()` function in the Handlebars runtime does not properly guard against prototype-chain traversal when resolving partial names. This allows an attacker to inject malicious code into web pages. When `Object.prototype` has been polluted with a string value that matches a partial reference, the polluted string is used as the partial body and rendered without proper HTML escaping. This can result in reflected or stored Cross-Site Scripting (XSS), potentially leading to arbitrary code execution in a user's browser or information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2452576, 2452577, 2452578, 2452579, 2452582, 2452586, 2452587, 2452573, 2452574, 2452575, 2452580, 2452581, 2452583, 2452584, 2452585    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-27 22:02:10 UTC 
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype  pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates  and reduces the attack surface.