CVE-2026-33943
Last modified
CVE-2026-33943 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. EPSS estimates a 0.74% chance of exploitation in the next 30 days.
Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Capricorn86 | Happy Dom | >= 15.10.0, < 20.8.8 |
References
- https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8Product, Release Notes
- https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64Exploit, Vendor Advisory
- https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-33943?
How severe is CVE-2026-33943?
How do I fix CVE-2026-33943?
Are you affected by CVE-2026-33943?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST