CVE-2026-33941: High-Severity Command Injection Flaw in Handlebars CLI Precompiler

A high-severity command injection vulnerability has been identified in the Handlebars CLI precompiler, tracked as CVE-2026-33941. The flaw resides in the `bin/handlebars` and `lib/precompiler.js` components of the popular templating library. The core issue is that the precompiler concatenates user-controlled strings—specifically template file names and several command-line interface (CLI) options—directly into shell commands without proper sanitization. This creates a direct path for attackers to execute arbitrary code on the host system.

The vulnerability is confirmed in the `handlebars-4.7.7.tgz` package, which is the current version found in the `master` branch of affected projects. Handlebars is a widely used JavaScript templating engine designed to build semantic templates, making this flaw a significant risk for any application or build pipeline that utilizes its CLI tool for precompilation. The attack vector is straightforward: by crafting malicious input for the vulnerable CLI parameters, an attacker can break out of the intended command and run system-level commands.

This discovery places immediate pressure on development and security teams to audit their dependency trees. Any project that directly or indirectly depends on the vulnerable `handlebars-4.7.7.tgz` library and uses its CLI for tasks like build automation or template processing is exposed. The high severity rating underscores the potential for complete system compromise. Organizations must prioritize identifying this dependency, assessing their exposure, and applying the official patch once it becomes available to mitigate the risk of remote code execution.