CVE-2026-33943
Published: 27 March 2026
Summary
CVE-2026-33943 is a high-severity Code Injection (CWE-94) vulnerability in Capricorn86 Happy Dom. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of system flaws, directly mitigating CVE-2026-33943 by updating vulnerable Happy DOM versions to 20.8.8.
Vulnerability monitoring and scanning identifies deployments of vulnerable Happy DOM versions affected by this RCE code injection flaw.
System component inventory enables auditing for presence and versions of third-party libraries like Happy DOM to uncover potential exposures to this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code injection flaw in Happy DOM's ES module compiler that directly enables arbitrary JavaScript execution (RCE) when untrusted module content is processed by network-accessible applications or SSR/testing frameworks; this maps to T1190 for the network exploitation vector against a public-facing or input-processing app and to T1059.007 for the resulting JavaScript interpreter abuse.
NVD Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions…
more
inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
Deeper analysisAI
Happy DOM, a JavaScript implementation of a web browser without a graphical user interface, contains a code injection vulnerability in its ECMAScriptModuleCompiler component affecting versions 15.10.0 through 20.8.7. The flaw, tracked as CVE-2026-33943 and associated with CWE-94, enables remote code execution (RCE) by allowing attackers to inject arbitrary JavaScript expressions within `export { }` declarations in ES module scripts processed by Happy DOM. This occurs because the compiler directly interpolates unsanitized content into generated code as executable expressions, while the quote filter fails to strip backticks, permitting template literal-based payloads to bypass sanitization.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no required privileges, and user interaction, resulting in high impacts to confidentiality, integrity, and availability without scope changes. An attacker can exploit it by supplying malicious ES module scripts to applications or environments that process content with vulnerable Happy DOM versions, such as Node.js-based tools for DOM simulation, testing frameworks, or server-side rendering setups. Successful exploitation leads to arbitrary JavaScript execution within the context of the Happy DOM instance.
Mitigation is available via an update to version 20.8.8, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-6q6h-j7hj-3r64), release notes, and the fixing commit (5437fdf8f13adb9590f9f52616d9f69c3ee8db3c). Security practitioners should audit dependencies for vulnerable Happy DOM versions and apply the patch promptly, particularly in automated testing pipelines or headless browser emulation scenarios.
Details
- CWE(s)