{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33943", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.104Z", "datePublished": "2026-03-27T21:15:19.186Z", "dateUpdated": "2026-03-27T21:58:16.284Z"}, "containers": {"cna": {"title": "Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"}, {"name": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c"}, {"name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8"}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"version": ">= 15.10.0, < 20.8.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:15:19.186Z"}, "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue."}], "source": {"advisory": "GHSA-6q6h-j7hj-3r64", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T21:58:00.418466Z", "id": "CVE-2026-33943", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T21:58:16.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33943", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T21:58:00.418466Z"}}}], "references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T21:58:10.989Z"}}], "cna": {"title": "Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code", "source": {"advisory": "GHSA-6q6h-j7hj-3r64", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "capricorn86", "product": "happy-dom", "versions": [{"status": "affected", "version": ">= 15.10.0, < 20.8.8"}]}], "references": [{"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "name": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c", "name": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8", "name": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T21:15:19.186Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33943", "state": "PUBLISHED", "dateUpdated": "2026-03-27T21:58:16.284Z", "dateReserved": "2026-03-24T19:50:52.104Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T21:15:19.186Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue."}], "id": "CVE-2026-33943", "lastModified": "2026-03-27T22:16:21.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T22:16:21.393", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c"}, {"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8"}, {"source": "security-advisories@github.com", "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "happy-dom: Happy DOM: Remote Code Execution via JavaScript expression injection", "id": "2452522", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452522"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-917", "details": ["A flaw was found in Happy DOM, a JavaScript implementation of a web browser. This vulnerability allows a remote attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions. The `ECMAScriptModuleCompiler` component fails to properly sanitize content within `export { }` declarations in ES module scripts, leading to the direct execution of malicious code."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33943", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-26/gateway-rhel9", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-agent-installer-ui-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-27T21:15:19Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33943\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33943\nhttps://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c\nhttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.8\nhttps://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64"], "threat_severity": "Important"}

{}