Bug 2452523 (CVE-2026-33937) - CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()
Summary: CVE-2026-33937 handlebars.js: Handlebars: Remote Code Execution via crafted A...
Keywords:
Status: NEW
Alias: CVE-2026-33937
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452588 2452589 2452595 2452598 2452606 2452612 2452622 2452640 2452591 2452615 2452618 2452628 2452632 2452638 2452643
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 22:03 UTC by OSIDB Bzimport
Modified: 2026-03-28 10:45 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 22:03:14 UTC 
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a  `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.
Note You need to log in before you can comment on or make changes to this bug.