Skip to main content

handlebars.java CVE-2026-55760

HIGH
Path Traversal (CWE-22)
2026-06-17 https://github.com/jknack/handlebars.java GHSA-r4gv-qr8j-p3pg
Path Traversal Java
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Network-reachable template parameter, no auth or interaction, trivial ../ payload; arbitrary file read yields high confidentiality impact with no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 01:38 vuln.today
Analysis Generated
Jun 18, 2026 - 01:38 vuln.today
CVE Published
Jun 17, 2026 - 18:42 github-advisory
HIGH 7.5

DescriptionGitHub Advisory

Impact

Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources.

Patches

com.github.jknack:handlebars:4.5.2

Workarounds

Validate template name is derived from user input.

java
if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) {
        throw new IOException("Path traversal attempt detected: " + location);
}

Articles & Coverage 1

News 5 New Java Vulnerabilities - 2 Critical, 3 High Severity Jun 18, 2026

AnalysisAI

Arbitrary file read in jknack handlebars.java versions prior to 4.5.2 allows remote unauthenticated attackers to retrieve files outside the intended template directory when applications pass user-controlled input to Handlebars.compile() with a FileTemplateLoader or ClassPathTemplateLoader. The flaw stems from missing path canonicalization in the template loaders, enabling classic ../ traversal sequences to escape the configured template prefix. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint passing user input to Handlebars.compile()
Delivery
Send request with ../ traversal in template name
Exploit
FileTemplateLoader resolves path outside prefix
Execution
Library reads target file as template source
Impact
Sensitive file contents returned in response or error
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application (a) embeds com.github.jknack:handlebars at a version below 4.5.2, (b) instantiates a FileTemplateLoader or ClassPathTemplateLoader, and (c) passes attacker-controllable data - typically a URL path segment, query parameter, form field, or header value - as the template name argument to Handlebars.compile(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) reflects unauthenticated network exploitation with low complexity and a confidentiality-only impact, which matches an arbitrary file read primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A web application exposes an endpoint such as /render?template=welcome that forwards the template parameter into Handlebars.compile() backed by a FileTemplateLoader rooted at /opt/app/templates. An unauthenticated attacker sends /render?template=../../../../etc/passwd (or a classpath equivalent like ../../../../application.properties), causing the loader to read and return the targeted file as template content, disclosing credentials, configuration, or source code; no public PoC is referenced in the advisory but the technique follows standard CWE-22 patterns and the CVSS AC:L/PR:N/UI:N vector confirms the path is trivially reachable.
Remediation Vendor-released patch: com.github.jknack:handlebars 4.5.2 - upgrade the Maven dependency to 4.5.2 or later as the primary fix, per GHSA-r4gv-qr8j-p3pg (https://github.com/jknack/handlebars.java/security/advisories/GHSA-r4gv-qr8j-p3pg). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications and services using jknack handlebars.java and identify which versions are deployed. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-41708 HIGH
7.5 Jun 15

Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust applica
CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

CVE-2026-55760 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy