CVE-2026-33938
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-blockHandlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.
We have discovered 27,902 live websites that are affected by CVE-2026-33938.
Affected Software
| Product |  Handlebars |
| Category | JavaScript Frameworks |
| Vulnerable Domains | 27,902 live websites (90% of Handlebars install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 34 versions ( 68% of all versions) |
Common Weakness Enumeration
CWE-94 Improper Control of Generation of Code ('Code Injection')Details
- Published - Mar 27, 2026
- Updated - Apr 1, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-33938 United States | 19,799 websites |
 Germany | 857 websites |
 Canada | 832 websites |
 GB | 674 websites |
 Australia | 523 websites |
 Vietnam | 391 websites |
 Poland | 344 websites |
 Italy | 342 websites |
 Netherlands | 337 websites |
 France | 300 websites |
Website Distribution by TLD
Number of websites using CVE-2026-33938| .com | 16,791 websites |
| .org | 2,218 websites |
| .ca | 727 websites |
| .net | 673 websites |
| .de | 575 websites |
| .co.uk | 467 websites |
| .com.au | 452 websites |
| .edu | 421 websites |
| .pl | 310 websites |
| .it | 269 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-33938
Top websites that are affected by CVE-2026-33938. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.***.*******.com | United States | *,*** | |
| ************.**.uk | GB | *,*** | |
| *************.com | United States | *,*** | |
| *****.blog |  Singapore | *,*** | |
| ******.edu | Australia | *,*** | |
| *************.com | United States | *,*** | |
| *****.com | United States | **,*** | |
| ****.com | United States | **,*** | |
| **********.**.uk | United States | **,*** | |
| ******.com | United States | **,*** |
FAQ
CVE-2026-33938 is Improper Control of Generation of Code ('Code Injection') in Handlebars
A total of 27,902 websites have been identified as vulnerable to CVE-2026-33938, based on global website indexing conducted by WebTechSurvey.
The Handlebars is affected by the CVE-2026-33938 vulnerability.
Handlebars versions up to 4.7.9 are vulnerable to CVE-2026-33938.
CVE-2026-33938 is resolved in version 4.7.9 of Handlebars.