Uncaught Exception The advisory has been revoked - it doesn't affect any version of package grafana-mysql  (opens in a new tab)


Threat Intelligence

Social Trends
EPSS
0.62% (46th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-GRAFANAMYSQL-15873570
  • published2 Apr 2026
  • disclosed27 Mar 2026

Introduced: 27 Mar 2026

CVE-2026-33939  (opens in a new tab)
CWE-248  (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:8.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grafana-mysql package and not the grafana-mysql package as distributed by Centos.

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. {{*n}}), the compiled template calls lookupProperty(decorators, "n"), which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not a function that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a try/catch is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in try/catch. Validate template input before passing it to compile(); reject templates containing decorator syntax ({{*...}}) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call compile() at request time.