{"id":"CVE-2026-55760","summary":"handlebars.java FileTemplateLoader Path Traversal","details":"Handlebars.java provides logic-less and semantic Mustache templates with Java. Prior to 4.5.2, applications that pass user-controlled input to Handlebars.compile() using FileTemplateLoader or ClassPathTemplateLoader are vulnerable to path traversal, allowing arbitrary file read through template names derived from URL path parameters, request parameters, or other user-controlled sources. This issue is fixed in version 4.5.2.","aliases":["GHSA-r4gv-qr8j-p3pg"],"modified":"2026-07-15T15:56:21.580564Z","published":"2026-07-08T19:31:22.919Z","database_specific":{"cwe_ids":["CWE-22"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55760.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/jknack/handlebars.java/releases/tag/v4.5.2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55760.json"},{"type":"ADVISORY","url":"https://github.com/jknack/handlebars.java/security/advisories/GHSA-r4gv-qr8j-p3pg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55760"},{"type":"FIX","url":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jknack/handlebars.java","events":[{"introduced":"0"},{"fixed":"d177cdee8b750385ca7a0d0f89f2d4be73e28f4e"},{"fixed":"cf34668e397e15c262aa7a851a0c18780df61076"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"4.5.2"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v4.5.1","v4.4.0","v4.3.1","v4.3.0","v4.2.1","v4.2.0","v4.1.2","v4.1.1","v4.1.0","v4.0.7","v4.0.6","v4.0.5","v4.0.0","v2.3.2","v2.3.1","v2.2.3","v2.2.2","v2.2.1","v2.2.0","v2.1.0","v2.0.0","v1.3.2","v1.3.1","v1.3.0","v1.2.1","v1.2.0","v1.1.2","v1.1.1","v1.1.0","v1.0.0","v0.12.0","v0.11.0","v0.10.0","v0.9.0","v0.8.0","handlebars.java-0.7.0","handlebars.java-0.6.2","handlebars.java-0.6.1","handlebars.java-0.5.5","handlebars.java-0.5.4","handlebars.java-0.5.3","handlebars.java-0.5.0","handlebars.java-0.4.2","handlebars.java-0.4.1","handlebars.java-0.4.0","handlebars.java-0.3.1","handlebars.java-0.3.0","handlebars.java-0.2.2","handlebars.java-0.2.1","0.2.0","handlebars.java-0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55760.json","vanir_signatures_modified":"2026-07-15T15:56:21Z","vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"241172713285189661100812895066524519534","length":164},"id":"CVE-2026-55760-09d79eb1","signature_type":"Function","signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/FileTemplateLoader.java","function":"getResource"}},{"deprecated":false,"digest":{"length":83,"function_hash":"339238650719358478246628913428223724227"},"id":"CVE-2026-55760-1748868a","signature_type":"Function","signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/ClassPathTemplateLoader.java","function":"getResource"}},{"source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/AbstractTemplateLoader.java"},"deprecated":false,"digest":{"line_hashes":["225724999012737701317519965068389206798","307837100511193426655343495506226422064","129659043899054951106193538568110685717","14649123151640441245686224359779819628","271281089360218972344058762266184388416","120795021154185484231873693582839689366","61317914404870289998489170559189916132","111361566027458149123527306240017450254","14544403627809111430328001529463208517","4208945688384403010703793390694853789","49108060036777491227351881624944114619","333824391801528912661282870402717160973","335070424779397808696762168296498603130"],"threshold":0.9},"id":"CVE-2026-55760-2fbddadd","signature_type":"Line","signature_version":"v1"},{"deprecated":false,"digest":{"line_hashes":["83619011527687295311586406439870022289","118580023339818966990195985351641714385","77092082234857376852503665820135464978","601008804711930250397681509049903274","295067643401631595427711117251042232807","83657725812192757675316018712170772073","47844595765065739549279180138631816906"],"threshold":0.9},"id":"CVE-2026-55760-40e03e53","signature_type":"Line","signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/ServletContextTemplateLoader.java"}},{"signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/ServletContextTemplateLoader.java","function":"ServletContextTemplateLoader"},"deprecated":false,"digest":{"function_hash":"10812622593281927225669948874333153940","length":189},"id":"CVE-2026-55760-71cf14f6","signature_type":"Function"},{"id":"CVE-2026-55760-85c471b0","signature_type":"Line","signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/ClassPathTemplateLoader.java"},"deprecated":false,"digest":{"line_hashes":["269163795229132292890075966925027349138","196144928099221047222202880287852294826","234547819444414004001812549096078939071","120840230198363270120130441675749997003","53978784796563340144481983854262864756","275614690938674510050119413578050723781","43288126998840593503114580268647639559"],"threshold":0.9}},{"signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"function":"normalize","file":"handlebars/src/main/java/com/github/jknack/handlebars/io/AbstractTemplateLoader.java"},"deprecated":false,"digest":{"function_hash":"172883694944672587250187814966846408836","length":138},"id":"CVE-2026-55760-a1de05f7","signature_type":"Function"},{"id":"CVE-2026-55760-b11c26a0","signature_type":"Line","signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/FileTemplateLoader.java"},"deprecated":false,"digest":{"line_hashes":["128347905289394353120655843853629623497","86845104814476814533219278027864751617","157031353658295718297091874631941687423","15325076076972791594629528150628200595"],"threshold":0.9}},{"signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/ServletContextTemplateLoader.java","function":"getResource"},"deprecated":false,"digest":{"function_hash":"43801416336712733064529760099185178968","length":104},"id":"CVE-2026-55760-c1b9edca","signature_type":"Function"},{"digest":{"function_hash":"255992377582465521107211443736322578912","length":81},"id":"CVE-2026-55760-c87f684e","signature_type":"Function","signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/AbstractTemplateLoader.java","function":"setSuffix"},"deprecated":false},{"signature_version":"v1","source":"https://github.com/jknack/handlebars.java/commit/d177cdee8b750385ca7a0d0f89f2d4be73e28f4e","target":{"file":"handlebars/src/main/java/com/github/jknack/handlebars/io/URLTemplateLoader.java"},"deprecated":false,"digest":{"line_hashes":["39728561658699773478347938117454571510","276651907776997587724047556619305293141","3467663090075634037682579442633178887","159634290031161517224665522109876117428","161974989587173613093740066461348533926","212098764056685707227188178986691058740"],"threshold":0.9},"id":"CVE-2026-55760-f1473e8f","signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}