cbcvebase.
CVE-2026-33943
published 2026-03-27

CVE-2026-33943: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.79%
51.6th percentile
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.

Affected

3 ranges
VendorProductVersion rangeFixed in
capricorn86happy-dom
capricorn86happy-dom>= 15.10.0 < 20.8.820.8.8
capricorn86happy_dom>= 15.10.0 < 20.8.820.8.8

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in the `ECMAScriptModuleCompiler` component of happy-dom versions 15.10.0 through 20.8.7; monitor for use of these versions in server-side or CI/CD environments processing untrusted ES module scripts.
  • Detect payloads using backtick (template literal) syntax inside `export { }` declarations, as the quote filter fails to strip backticks, allowing bypass of sanitization.
  • The compiler directly interpolates unsanitized content into generated code; inspect generated/compiled ES module output from happy-dom for unexpected executable expressions embedded in export blocks.
  • ·Affected versions are 15.10.0 through 20.8.7; version 20.8.8 contains the fix. Ensure deployed packages (including container images such as ansible-automation-platform-26/gateway-rhel9 and openshift4/ose-agent-installer-ui-rhel9) are updated accordingly.
  • ·No mitigation is currently available from Red Hat for affected products; upgrading to the fixed version is the only remediation path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.