Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
Published: 2026-03-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An issue in Happy DOM's ECMAScriptModuleCompiler allows the interpreter to insert unsanitized export names directly into generated code. Through this mechanism, an attacker can inject arbitrary JavaScript expressions inside export { } declarations in ES module scripts, bypassing the built‑in quote filter because backticks are not removed. The result is remote code execution within the environment that consumes Happy DOM. The vulnerability is classified as Code Injection (CWE‑94) and the execution of unsanitized content (CWE‑917).

Affected Systems

The flaw exists in versions 15.10.0 through 20.8.7 of the Happy DOM library distributed by Capricorn86. Applications that rely on these versions to parse or execute ES modules will be impacted; the fix is available in version 20.8.8 and later.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity level, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires that an attacker can supply or influence the ES module source that Happy DOM compiles, which is typically a local developer or a compromised application. If such code can be injected, the attacker can execute arbitrary JavaScript with the privileges of the host process.

Generated by OpenCVE AI on April 13, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Happy DOM to version 20.8.8 or newer.
  • If immediate upgrade is not feasible, restrict the source of ES module scripts passed to Happy DOM to fully trusted code paths and avoid processing user‑controlled or external modules.
  • As a temporary safeguard, manually remove backticks or otherwise sanitize export names before passing the module to Happy DOM.
  • Monitor the library’s release notes for future patches and remain vigilant for any new advisories.

Generated by OpenCVE AI on April 13, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6q6h-j7hj-3r64 Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
History

Mon, 13 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Capricorn86 happy Dom
CPEs cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:node.js:*:*
Vendors & Products Capricorn86 happy Dom

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Capricorn86
Capricorn86 happy-dom
Vendors & Products Capricorn86
Capricorn86 happy-dom

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
Title Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Capricorn86 Happy-dom Happy Dom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T21:58:16.284Z

Reserved: 2026-03-24T19:50:52.104Z

Link: CVE-2026-33943

cve-icon Vulnrichment

Updated: 2026-03-27T21:58:10.989Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:21.393

Modified: 2026-04-13T17:24:44.997

Link: CVE-2026-33943

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T21:15:19Z

Links: CVE-2026-33943 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:35Z

Weaknesses