#VU124847 Prototype pollution in handlebars.js
Published: April 2, 2026
Vulnerability identifier: #VU124847
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
handlebars.js
handlebars.js
Software vendor:
The Handlebars Templating Language
The Handlebars Templating Language
Description
The vulnerability allows a remote attacker to disclose sensitive information and modify data.
The vulnerability exists due to improper access control in lib/handlebars/internal/proto-access.js when processing templates with the non-default allowProtoMethodsByDefault option enabled. A remote attacker can access the __lookupSetter__ prototype method to disclose sensitive information and modify data.
This issue affects the prototype method blocklist because __lookupSetter__ is omitted while related accessor helper methods remain blocked. The default configuration is not affected, and exploitation is only possible when allowProtoMethodsByDefault is explicitly set to true.
Remediation
Install security update from vendor's website.