CVE-2026-33943
HIGHHappy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Title source: cnaDescription
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64
X_Refsource_Misc x_refsource_misc
https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c
X_Refsource_Misc x_refsource_misc
https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8
Scores
CVSS v3
8.8
EPSS
0.0074
EPSS Percentile
49.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (3)
capricorn86/happy-dom
>= 15.10.0, < 20.8.8
capricorn86/happy_dom
15.10.0 - 20.8.8
npm/happy-dom
15.10.0 - 20.8.8npm
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026