CVE-2026-33943
Received Received - Intake
Code Injection in Happy DOM ECMAScriptModuleCompiler Enables RCE

Publication date: 2026-03-27

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capricorn86 happy_dom From 15.10.0 (inc) to 20.8.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Happy DOM allows remote code execution through code injection, which can lead to unauthorized access, data manipulation, or data breaches.

Such security weaknesses can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system integrity.

However, specific effects on compliance depend on the context of use and whether the vulnerable component processes or protects regulated data.

Executive Summary

This vulnerability exists in Happy DOM, a JavaScript implementation of a web browser without a graphical user interface. In versions 15.10.0 through 20.8.7, there is a code injection flaw in the ECMAScriptModuleCompiler component. An attacker can inject arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by Happy DOM. The compiler directly inserts unsanitized content into generated code as executable expressions. Additionally, the quote filter used does not remove backticks, which allows attackers to bypass sanitization using template literal-based payloads. This flaw enables Remote Code Execution (RCE). The issue is fixed in version 20.8.8.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to execute arbitrary code remotely on systems using vulnerable versions of Happy DOM. This can lead to full system compromise, unauthorized access to sensitive data, disruption of services, and potential further exploitation within the affected environment.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Happy DOM to version 20.8.8 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart