Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options — CVE-2026-33941

Summary

Advisory CVE-2026-33941. Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options Vendor: Microsoft. Source: MSRC. Threat: high. CVSS 8.2. See the official advisory for details.

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• Mariner CVE-2026-34714
• Mariner CVE-2026-21710
• Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib CVE-2026-4176
• Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation) CVE-2026-33896
• Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input CVE-2026-33891
• Forge has signature forgery in Ed25519 due to missing S > L check CVE-2026-33895
• Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation CVE-2026-33939
• Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block CVE-2026-33938
• Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial CVE-2026-33940
• Excessive NSEC3 iterations cause high CPU load during insecure delegation validation CVE-2026-1519
• Flannel vulnerable to cross-node remote code execution via extension backend BackendData injection CVE-2026-32241
• LIBPNG has ARM NEON Palette Expansion Out-of-Bounds Read on AArch64 CVE-2026-33636