TryGhost express-hbs is an Express handlebar template engine with multiple layouts, blocks and cache sections. tryGhost express-hbs suffers from an information disclosure vulnerability that stems from the product’s Express render API mixing pure template data with engine configuration options, which can be exploited by an attacker to override internal configuration options resulting in a file leak.