Cyber Resilience

CVE-2026-33943

HighPublic PoCRCEUpdated

Published: 27 March 2026

Published
27 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0074 50.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33943 is a high-severity Code Injection (CWE-94) vulnerability in Capricorn86 Happy Dom. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

Happy DOM, a JavaScript implementation of a web browser without a graphical user interface, contains a code injection vulnerability in its ECMAScriptModuleCompiler component affecting versions 15.10.0 through 20.8.7. The flaw, tracked as CVE-2026-33943 and associated with CWE-94, enables remote code execution (RCE) by allowing attackers to inject arbitrary JavaScript expressions within `export { }` declarations in ES module scripts processed by Happy DOM. This occurs because the compiler directly interpolates unsanitized content into generated code as executable expressions, while the quote filter fails to strip backticks, permitting template literal-based payloads to bypass sanitization.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no required privileges, and user interaction, resulting in high impacts to confidentiality, integrity, and availability without scope changes. An attacker can exploit it by supplying malicious ES module scripts to applications or environments that process content with vulnerable Happy DOM versions, such as Node.js-based tools for DOM simulation, testing frameworks, or server-side rendering setups. Successful exploitation leads to arbitrary JavaScript execution within the context of the Happy DOM instance.

Mitigation is available via an update to version 20.8.8, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-6q6h-j7hj-3r64), release notes, and the fixing commit (5437fdf8f13adb9590f9f52616d9f69c3ee8db3c). Security practitioners should audit dependencies for vulnerable Happy DOM versions and apply the patch promptly, particularly in automated testing pipelines or headless browser emulation scenarios.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions…

more

inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

The CVE describes a remote code injection flaw in Happy DOM's ES module compiler that directly enables arbitrary JavaScript execution (RCE) when untrusted module content is processed by network-accessible applications or SSR/testing frameworks; this maps to T1190 for the network exploitation vector against a public-facing or input-processing app and to T1059.007 for the resulting JavaScript interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34226Same product: Capricorn86 Happy Dom
CVE-2025-26260Shared CWE-94
CVE-2026-26954Shared CWE-94
CVE-2026-41507Shared CWE-94
CVE-2025-12735Shared CWE-94
CVE-2026-25887Shared CWE-94
CVE-2026-33881Shared CWE-94
CVE-2026-25141Shared CWE-94
CVE-2025-23061Shared CWE-94
CVE-2026-4800Shared CWE-94

Affected Assets

capricorn86
happy dom
15.10.0 — 20.8.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of system flaws, directly mitigating CVE-2026-33943 by updating vulnerable Happy DOM versions to 20.8.8.

detect

Vulnerability monitoring and scanning identifies deployments of vulnerable Happy DOM versions affected by this RCE code injection flaw.

detect

System component inventory enables auditing for presence and versions of third-party libraries like Happy DOM to uncover potential exposures to this vulnerability.

References