Improperly Controlled Modification of Dynamically-Determined Object Attributes Affecting grafana-mssql package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CENTOS8-GRAFANAMSSQL-15873180
- published2 Apr 2026
- disclosed27 Mar 2026
Introduced: 27 Mar 2026
NewCVE-2026-33916 (opens in a new tab)How to fix?
There is no fixed version for Centos:8 grafana-mssql.
NVD Description
Note: Versions mentioned in the description apply only to the upstream grafana-mssql package and not the grafana-mssql package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, resolvePartial() in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS. Version 4.7.9 fixes the issue. Some workarounds are available. Apply Object.freeze(Object.prototype) early in application startup to prevent prototype pollution. Note: this may break other libraries, and/or use the Handlebars runtime-only build (handlebars/runtime), which does not compile templates and reduces the attack surface.
References
- https://access.redhat.com/security/cve/CVE-2026-33916
- https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9