The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through     4.7.8, the Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-     controlled strings  template file names and several CLI options  directly into the JavaScript it emits,     without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments     can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser.
    Version 4.7.9 fixes the issue. Some workarounds are available. First, validate all CLI inputs before     invoking the precompiler. Reject filenames and option values that contain characters with JavaScript     string-escaping significance (``, `'`, `;`, etc.). Second, use a fixed, trusted namespace string passed     via a configuration file rather than command-line arguments in automated pipelines. Third, run the     precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the     impact of successful exploitation. Fourth, audit template filenames in any repository or package that is     consumed by an automated build pipeline. (CVE-2026-33941)

Note that Nessus relies on the presence of the package as reported by the vendor.

Detections

Analytics

Linux Distros Unpatched Vulnerability : CVE-2026-33941

high Nessus Plugin ID 304160

Version 1.10