npm vulnerability intelligence

handlebars NPM Package
Vulnerability Check

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Critical MIT v4.7.9

Vulnerability Analysis OSV Live

handlebars

v4.7.9 · MIT · 38,196,232 dl/wk

Advisory Breakdown

Critical 4

High 10

Moderate 4

Low 1

Severity Rating

Critical

19 advisories

Critical

Weekly downloads

38,196,232

Total advisories

19

Latest version

4.7.9

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

19

GHSA-2cf5-4w76-r9qv high

Arbitrary Code Execution in handlebars

Affected: >=0 <3.0.8, >=4.0.0 <4.5.2 Fixed in: 3.0.8, 4.5.2 Updated Feb 4, 2026

GHSA-2qvq-rjwj-gvw9 CVE-2026-33916 moderate

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 28, 2026

GHSA-2w6w-674q-4c4q CVE-2026-33937 critical

Handlebars.js has JavaScript Injection via AST Type Confusion

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

GHSA-3cqr-58rm-57f8 CVE-2019-20920 high

Arbitrary Code Execution in Handlebars

Affected: >=0 <3.0.8, >=4.0.0 <4.5.3 Fixed in: 3.0.8, 4.5.3 Updated Mar 13, 2026

GHSA-3mfm-83xf-c92r CVE-2026-33938 high

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

GHSA-442j-39wm-28r2 low

Handlebars.js has a Property Access Validation Bypass in container.lookup

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

GHSA-62gr-4qp9-h98f CVE-2019-20922 high

Regular Expression Denial of Service in Handlebars

Affected: >=4.0.0 <4.4.5 Fixed in: 4.4.5 Updated Mar 13, 2026

GHSA-765h-qjxv-5f44 CVE-2021-23383 critical

Prototype Pollution in handlebars

Affected: >=0 <4.7.7 Fixed in: 4.7.7 Updated Feb 4, 2026

GHSA-7rx3-28cr-v5wh moderate

Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry

Affected: >=4.6.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

GHSA-9cx6-37pm-9jff CVE-2026-33939 high

Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

GHSA-9prh-257w-9277 CVE-2015-8861 moderate

Cross-Site Scripting in handlebars

Affected: >=0 <4.0.0 Fixed in: 4.0.0 Updated Feb 4, 2026

GHSA-f2jv-r9rf-7988 CVE-2021-23369 critical

Remote code execution in handlebars when compiling templates

Affected: >=0 <4.7.7 Fixed in: 4.7.7 Updated Feb 4, 2026

GHSA-f52g-6jhx-586p moderate

Denial of Service in handlebars

Affected: >=4.0.0 <4.4.5 Fixed in: 4.4.5 Updated Aug 31, 2020

GHSA-g9r4-xpmj-mj65 high

Prototype Pollution in handlebars

Affected: >=0 <3.0.8, >=4.0.0 <4.5.3 Fixed in: 3.0.8, 4.5.3 Updated Feb 4, 2026

GHSA-q2c6-c6pm-g3gh high

Arbitrary Code Execution in handlebars

Affected: >=0 <3.0.8, >=4.0.0 <4.5.3 Fixed in: 3.0.8, 4.5.3 Updated Feb 4, 2026

GHSA-q42p-pg8m-cqh6 high

Prototype Pollution in handlebars

Affected: >=4.1.0 <4.1.2, >=4.0.0 <4.0.14, >=0 <3.0.7 Fixed in: 4.1.2, 4.0.14, 3.0.7 Updated Feb 4, 2026

GHSA-w457-6q6x-cgp9 CVE-2019-19919 critical

Prototype Pollution in handlebars

Affected: >=4.0.0 <4.3.0, >=0 <3.0.8 Fixed in: 4.3.0, 3.0.8 Updated Feb 4, 2026

GHSA-xhpv-hc6g-r9c6 CVE-2026-33940 high

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

GHSA-xjpj-3mr7-gcpf CVE-2026-33941 high

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Affected: >=4.0.0 <4.7.9 Fixed in: 4.7.9 Updated Mar 30, 2026

Checked Jun 7, 2026, 4:59 PM from npm and OSV.dev

Package metadata

From the npm registry

Package name: handlebars
Ecosystem: npm
Latest version: 4.7.9
License: MIT
Weekly downloads: 38,196,232
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

Login attempts

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/7/2026, 4:59:01 PM