Threats Tagged 'cve-2026-33938'

Red Hat OpenShift Dev Spaces 3. 27. 1 is a cloud developer workspace server and browser-based IDE designed for container-based development on OpenShift. The 3. 27 release introduces support for devfile v2. 1 and v2. 2 standards, urging users to migrate from the deprecated v1 standard. This advisory references multiple CVEs, including CVE-2025-61728, indicating a collection of vulnerabilities affecting this product version. No specific fixes or patches are detailed in the advisory, and users are encouraged to update to supported OpenShift releases (v4. 16 and higher) to continue receiving updates.

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.