{
  "threat_severity" : "Important",
  "public_date" : "2026-03-27T21:13:15Z",
  "bugzilla" : {
    "description" : "handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw",
    "id" : "2452524",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452524"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-94",
  "details" : [ "Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before invoking the precompiler. Reject filenames and option values  that contain characters with JavaScript string-escaping significance (`\"`, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed via a configuration file rather than  command-line arguments in automated pipelines. Third, run the precompiler in a sandboxed environment (container with no write access to sensitive  paths) to limit the impact of successful exploitation. Fourth, audit template filenames in any repository or package that is consumed by an automated  build pipeline.", "A flaw was found in Handlebars. The Handlebars command-line interface (CLI) precompiler concatenates user-controlled strings, such as template file names and CLI options, directly into the generated JavaScript without proper escaping or sanitization. An attacker capable of influencing these inputs can inject arbitrary JavaScript code. This can lead to arbitrary code execution when the generated JavaScript bundle is loaded in a Node.js environment or a web browser." ],
  "statement" : "Important: This flaw in Handlebars allows arbitrary code execution when the CLI precompiler processes untrusted inputs. An attacker who can influence template filenames or command-line arguments can inject malicious JavaScript, which executes when the generated bundle is loaded. Red Hat products utilizing the Handlebars CLI precompiler in environments where untrusted inputs are processed may be affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Dev Spaces 3.27",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10175",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.27::el9",
    "package" : "devspaces/code-rhel9:1776744110"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 4",
    "fix_state" : "Not affected",
    "package_name" : "handlebars",
    "cpe" : "cpe:/a:redhat:cryostat:4"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch6-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-operator-bundle",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-proxy-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/elasticsearch-rhel9-operator",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/kibana6-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-logging/logging-curator5-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "handlebars",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "389-ds:1.4/389-ds-base",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "grafana",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "mozjs60",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "firefox",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "thunderbird",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift AI (RHOAI)",
    "fix_state" : "Not affected",
    "package_name" : "rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_ai"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "handlebars",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33941\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33941\nhttps://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2\nhttps://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9\nhttps://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf" ],
  "name" : "CVE-2026-33941",
  "mitigation" : {
    "value" : "To mitigate this issue, ensure all inputs to the Handlebars CLI precompiler are thoroughly validated, rejecting characters with JavaScript string-escaping significance (e.g., \\\" , \\' , ;). For automated build pipelines, configure a fixed and trusted namespace string via a configuration file rather than passing it through command-line arguments. Additionally, consider running the precompiler within a sandboxed environment, such as a container with restricted write access, to limit the potential impact of successful exploitation.",
    "lang" : "en:us"
  },
  "csaw" : false
}