SCA: security update for handlebars (GHSA-2qvq-rjwj-gvw9)

medium Tenable Cloud Security Plugin ID 439279

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through
4.7.8, `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on
`options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been
polluted with a string value whose key matches a partial reference in a template, the polluted string is
used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version
4.7.9 fixes the issue. Some workarounds are available. Apply `Object.freeze(Object.prototype)` early in
application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the
Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the
attack surface. (CVE-2026-33916)

Solution

Update the handlebars library and its related packages to version 4.7.9 or later.

See Also

https://github.com/advisories/GHSA-2qvq-rjwj-gvw9

Plugin Details

Severity: Medium

ID: 439279

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 3/27/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.59

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-33916

CVSS v3

Risk Factor: Medium

Base Score: 4.7

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/26/2026

Vulnerability Publication Date: 3/26/2026

Reference Information

CVE: CVE-2026-33916