HIGH🇵🇱 Wersja polska

CVE-2019-20920

CVSS 8.1v3.1pub. 2020-09-30upd. 2024-11-21

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
  • Handlebarsjs Handlebars

    APP
    Handlebarsjs
    < 3.0.84.0.0 – 4.5.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEXSS
CWE
References

Related vulnerabilities

CVE-2026-33937CRITICAL9.8PL ✓ten sam produkt

RCE w Handlebars.js przez wstrzyknięcie kodu przez AST (compile)

CVE-2026-33941HIGH8.2ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...

CVE-2026-33938HIGH8.1ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...

CVE-2026-33939HIGH7.5ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...

CVE-2026-33940HIGH8.1ten sam produkt

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...