Bug 2452509 (CVE-2026-33916) - CVE-2026-33916 handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution
Summary: CVE-2026-33916 handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prot...
Keywords:
Status: NEW
Alias: CVE-2026-33916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2452573 2452574 2452576 2452577 2452578 2452579 2452582 2452583 2452584 2452586 2452587 2452575 2452580 2452581 2452585
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 22:02 UTC by OSIDB Bzimport
Modified: 2026-03-28 10:07 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 22:02:10 UTC 
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype  pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates  and reduces the attack surface.
Note You need to log in before you can comment on or make changes to this bug.