SCA: security update for handlebars (GHSA-9cx6-37pm-9jff)

high Tenable Cloud Security Plugin ID 439340

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through
4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g.
`{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The
runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a
function` that crashes the Node.js process. Any application that compiles user-supplied templates without
wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9
fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate
template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`)
if decorators are not used in your application. Use the pre-compilation workflow; compile templates at
build time and serve only pre-compiled templates; do not call `compile()` at request time.
(CVE-2026-33939)

Solution

Update the handlebars library and its related packages to version 4.7.9 or later.

See Also

https://github.com/advisories/GHSA-9cx6-37pm-9jff

Plugin Details

Severity: High

ID: 439340

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 3/27/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-33939

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/27/2026

Vulnerability Publication Date: 3/27/2026

Reference Information

CVE: CVE-2026-33939

cwe: CWE-754