CVE-2026-33943: Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
(updated )
A code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
References
- github.com/advisories/GHSA-6q6h-j7hj-3r64
- github.com/capricorn86/happy-dom
- github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c
- github.com/capricorn86/happy-dom/releases/tag/v20.8.8
- github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64
- nvd.nist.gov/vuln/detail/CVE-2026-33943
Code Behaviors & Features
Detect and mitigate CVE-2026-33943 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →