CVE-2026-33943

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33943

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33943.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33943

Aliases

GHSA-6q6h-j7hj-3r64

Published

2026-03-27T21:15:19.186Z

Modified

2026-04-02T13:29:10.702909Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

Details

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33943.json"
}

References

Affected packages

Git / github.com/capricorn86/happy-dom

Affected ranges

Type

GIT

Repo

https://github.com/capricorn86/happy-dom

Events

Introduced

1625d4080339190682bc76bbe79ea26132accfda

Fixed

5437fdf8f13adb9590f9f52616d9f69c3ee8db3c

Database specific

{
    "versions": [
        {
            "introduced": "15.10.0"
        },
        {
            "fixed": "20.8.8"
        }
    ]
}

Affected versions

v15.*

v15.10.0

v15.10.1

v15.10.2

v15.10.3

v15.10.4

v15.10.5

v15.10.6

v15.10.7

v15.10.8

v15.11.0

v15.11.1

v15.11.2

v15.11.3

v15.11.4

v15.11.5

v15.11.6

v15.11.7

v16.*

v16.0.0

v16.0.1

v16.1.0

v16.2.0

v16.2.1

v16.2.2

v16.2.3

v16.2.4

v16.2.5

v16.2.6

v16.2.7

v16.2.8

v16.2.9

v16.3.0

v16.4.0

v16.4.1

v16.4.2

v16.4.3

v16.5.0

v16.5.1

v16.5.2

v16.5.3

v16.6.0

v16.7.0

v16.7.1

v16.7.2

v16.7.3

v16.8.0

v16.8.1

v17.*

v17.0.0

v17.0.1

v17.0.2

v17.0.3

v17.0.4

v17.1.0

v17.1.1

v17.1.10

v17.1.11

v17.1.12

v17.1.13

v17.1.2

v17.1.3

v17.1.4

v17.1.5

v17.1.6

v17.1.7

v17.1.8

v17.1.9

v17.2.0

v17.2.1

v17.2.2

v17.2.3

v17.2.4

v17.3.0

v17.3.1

v17.3.2

v17.4.0

v17.4.1

v17.4.2

v17.4.3

v17.4.4

v17.4.5

v17.4.6

v17.4.7

v17.4.8

v17.4.9

v17.5.0

v17.5.1

v17.5.2

v17.5.3

v17.5.4

v17.5.5

v17.5.6

v17.5.7

v17.5.8

v17.5.9

v17.6.0

v17.6.1

v17.6.2

v17.6.3

v18.*

v18.0.0

v18.0.1

v19.*

v19.0.0

v19.0.1

v19.0.2

v20.*

v20.0.0

v20.0.1

v20.0.10

v20.0.11

v20.0.2

v20.0.3

v20.0.4

v20.0.5

v20.0.6

v20.0.7

v20.0.8

v20.0.9

v20.1.0

v20.1.1

v20.2.0

v20.3.0

v20.3.1

v20.3.2

v20.3.3

v20.3.4

v20.3.5

v20.3.6

v20.3.7

v20.3.8

v20.3.9

v20.4.0

v20.5.0

v20.5.1

v20.5.2

v20.5.3

v20.5.4

v20.5.5

v20.6.0

v20.6.1

v20.6.2

v20.6.3

v20.6.4

v20.6.5

v20.7.0

v20.7.1

v20.7.2

v20.8.0

v20.8.1

v20.8.2

v20.8.3

v20.8.4

v20.8.5

v20.8.6

v20.8.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33943.json"