CISA-2026-33943
Reported by GitHub_M · Published March 27, 2026
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| capricorn86 | happy-dom | >= 15.10.0, < 20.8.8 |
| capricorn86 | happy-dom | >= 15.10.0, < 20.8.8 |
Timeline
- Mar 27, 2026 CVE Published
- Mar 27, 2026 CVE Updated