{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33943", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.104Z", "datePublished": "2026-03-27T21:15:19.186Z", "dateUpdated": "2026-03-27T21:58:16.284Z"}, "containers": {"cna": {"title": "Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"}, {"name": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c"}, {"name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8"}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"version": ">= 15.10.0, < 20.8.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:15:19.186Z"}, "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue."}], "source": {"advisory": "GHSA-6q6h-j7hj-3r64", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T21:58:00.418466Z", "id": "CVE-2026-33943", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T21:58:16.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33943", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T21:58:00.418466Z"}}}], "references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T21:58:10.989Z"}}], "cna": {"title": "Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code", "source": {"advisory": "GHSA-6q6h-j7hj-3r64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"status": "affected", "version": ">= 15.10.0, < 20.8.8"}]}], "references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c", "name": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8", "name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:15:19.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33943", "state": "PUBLISHED", "dateUpdated": "2026-03-27T21:58:16.284Z", "dateReserved": "2026-03-24T19:50:52.104Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:15:19.186Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7EAF0355-096E-4A40-8520-8FA8EBEF230B", "versionEndExcluding": "20.8.8", "versionStartIncluding": "15.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue."}], "id": "CVE-2026-33943", "lastModified": "2026-04-13T17:24:44.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T22:16:21.393", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "happy-dom: Happy DOM: Remote Code Execution via JavaScript expression injection", "id": "2452522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452522"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["A flaw was found in Happy DOM, a JavaScript implementation of a web browser. This vulnerability allows a remote attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions. The `ECMAScriptModuleCompiler` component fails to properly sanitize content within `export { }` declarations in ES module scripts, leading to the direct execution of malicious code."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33943", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-ui-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-27T21:15:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33943\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33943\nhttps://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c\nhttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.8\nhttps://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[15.10.0,20.8.8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "happy-dom", "source": "cna", "vendor": "capricorn86"}, "product": "happy-dom", "vendor": "capricorn86"}], "analysis": {"en": {"generated_at": "2026-04-13T18:28:47.969493+00:00", "value": {"mitigation_remediation": ["Upgrade Happy DOM to version 20.8.8 or newer. ", "If immediate upgrade is not feasible, restrict the source of ES module scripts passed to Happy DOM to fully trusted code paths and avoid processing user\u2011controlled or external modules. ", "As a temporary safeguard, manually remove backticks or otherwise sanitize export names before passing the module to Happy DOM. ", "Monitor the library\u2019s release notes for future patches and remain vigilant for any new advisories."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in versions 15.10.0 through 20.8.7 of the Happy DOM library distributed by Capricorn86. Applications that rely on these versions to parse or execute ES modules will be impacted; the fix is available in version 20.8.8 and later.", "description_and_impact": "An issue in Happy DOM's ECMAScriptModuleCompiler allows the interpreter to insert unsanitized export names directly into generated code. Through this mechanism, an attacker can inject arbitrary JavaScript expressions inside export { } declarations in ES module scripts, bypassing the built\u2011in quote filter because backticks are not removed. The result is remote code execution within the environment that consumes Happy DOM. The vulnerability is classified as Code Injection (CWE\u201194) and the execution of unsanitized content (CWE\u2011917).", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity level, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires that an attacker can supply or influence the ES module source that Happy DOM compiles, which is typically a local developer or a compromised application. If such code can be injected, the attacker can execute arbitrary JavaScript with the privileges of the host process."}}}}, "created": "2026-03-29T20:29:47.034541+00:00", "updated": "2026-04-14T16:42:35.661429+00:00", "vendors": ["capricorn86", "capricorn86$PRODUCT$happy-dom"]}