216.73.216.86

CVE-2026-33943

· Published 27/03/2026 22:16 · Modified 27/03/2026 22:16

Labels: CVE-2026-33943 2026-03-27CVE-2026-33943CWE-94[email protected]

Essential information

Published
27/03/2026 22:16
Modified
27/03/2026 22:16
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
happy-dom / happy dom cpe:2.3:a:happy-dom:happy_dom:15.10.0-20.8.7:*:*:*:*:*:*:*

References