CVE-2026-55760
handlebars.java FileTemplateLoader Path Traversal
Description
### Impact Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources. ### Patches com.github.jknack:handlebars:4.5.2 ### Workarounds Validate template name is derived from user input. ```java if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) { throw new IOException("Path traversal attempt detected: " + location); } ```
How to fix CVE-2026-55760
To remediate CVE-2026-55760, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.2 or later
Is CVE-2026-55760 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-55760.
Affected packages (1)
- from 0, < 4.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |