CVE-2026-33943

Name of the Vulnerable Software and Affected Versions Happy DOM versions 15.10.0 through 20.8.7

Description Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions 15.10.0 through 20.8.7 contain a code injection issue in the ECMAScriptModuleCompiler component. This allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression. The quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.

Recommendations Update to version 20.8.8 to resolve the issue.