CVE-2026-33943
published 2026-03-27CVE-2026-33943: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.79%
51.6th percentile
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| capricorn86 | happy-dom | — | — |
| capricorn86 | happy-dom | >= 15.10.0 < 20.8.8 | 20.8.8 |
| capricorn86 | happy_dom | >= 15.10.0 < 20.8.8 | 20.8.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in the `ECMAScriptModuleCompiler` component of happy-dom versions 15.10.0 through 20.8.7; monitor for use of these versions in server-side or CI/CD environments processing untrusted ES module scripts. ↗
- →Detect payloads using backtick (template literal) syntax inside `export { }` declarations, as the quote filter fails to strip backticks, allowing bypass of sanitization. ↗
- →The compiler directly interpolates unsanitized content into generated code; inspect generated/compiled ES module output from happy-dom for unexpected executable expressions embedded in export blocks. ↗
- ·Affected versions are 15.10.0 through 20.8.7; version 20.8.8 contains the fix. Ensure deployed packages (including container images such as ansible-automation-platform-26/gateway-rhel9 and openshift4/ose-agent-installer-ui-rhel9) are updated accordingly. ↗
- ·No mitigation is currently available from Red Hat for affected products; upgrading to the fixed version is the only remediation path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
ghsa·2026-03-26
CVE-2026-33943 [HIGH] CWE-94 Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
### Summary
A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
### Details
**Vulnerable file**: `packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts`, lines 371-385
The "Export object" handler extracts content from `export { ... }` using the regex `export\s*{([^}]+)}`, then generates
OSV
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
osv·2026-03-26
CVE-2026-33943 [HIGH] Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
### Summary
A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
### Details
**Vulnerable file**: `packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts`, lines 371-385
The "Export object" handler extracts content from `export { ... }` using the regex `export\s*{([^}]+)}`, then generates
Red Hat
happy-dom: Happy DOM: Remote Code Execution via JavaScript expression injection
vendor_redhat·2026-03-27·CVSS 8.8
CVE-2026-33943 [HIGH] CWE-917 happy-dom: Happy DOM: Remote Code Execution via JavaScript expression injection
happy-dom: Happy DOM: Remote Code Execution via JavaScript expression injection
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
A flaw was found in Happy DOM, a JavaScript implementation of a web browser. This vulnerability
No detection rules found.
No public exploits indexed.
https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3chttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.8https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64https://access.redhat.com/security/cve/CVE-2026-33943https://bugzilla.redhat.com/show_bug.cgi?id=2452522https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33943.json
2026-03-27
Published