EXECUTIVE SUMMARY:
CVE-2026-55760 with a CVSS score of 7.5 is a path traversal vulnerability in the Handlebars.java library affecting all releases prior to 4.5.2. The flaw resides in the FileTemplateLoader and ClassPathTemplateLoader components, which do not properly validate the template name supplied to Handlebars.compile(); when an application concatenates a user‑controlled value (such as a URL segment or request parameter) to form the template path, an attacker can include “../” sequences to traverse up the filesystem hierarchy and cause the loader to read arbitrary files outside the intended template directory. Exploitation requires only remote HTTP access to an endpoint that accepts a template name and passes it directly to Handlebars.compile() without sanitisation; no authentication or privileged credentials are needed. Successful exploitation yields read‑only disclosure of any file the process can access, including configuration files, source code, or credential stores, enabling further credential theft or reconnaissance. The business impact includes loss of confidentiality, potential regulatory penalties, and increased risk of subsequent attacks leveraging the exposed information. Exploitation is contingent on the application using the vulnerable loaders and exposing template names derived from untrusted input.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-55760 with a CVSS score of 7.5 is a path traversal vulnerability in the Handlebars.java library affecting all releases prior to 4.5.2. The flaw resides in the FileTemplateLoader and ClassPathTemplateLoader components, which do not properly validate the template name supplied to Handlebars.compile(); when an application concatenates a user‑controlled value (such as a URL segment or request parameter) to form the template path, an attacker can include “../” sequences to traverse up the filesystem hierarchy and cause the loader to read arbitrary files outside the intended template directory. Exploitation requires only remote HTTP access to an endpoint that accepts a template name and passes it directly to Handlebars.compile() without sanitisation; no authentication or privileged credentials are needed. Successful exploitation yields read‑only disclosure of any file the process can access, including configuration files, source code, or credential stores, enabling further credential theft or reconnaissance. The business impact includes loss of confidentiality, potential regulatory penalties, and increased risk of subsequent attacks leveraging the exposed information. Exploitation is contingent on the application using the vulnerable loaders and exposing template names derived from untrusted input.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-r4gv-qr8j-p3pg