SCA: security update for happy-dom (GHSA-6q6h-j7hj-3r64)

critical Tenable Cloud Security Plugin ID 439293

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In
versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an
attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside
`export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates
unsanitized content into generated code as an executable expression, and the quote filter does not strip
backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the
issue. (CVE-2026-33943)

Solution

Update the happy-dom library and its related packages to version 20.8.8 or later.

See Also

https://github.com/advisories/GHSA-6q6h-j7hj-3r64

Plugin Details

Severity: Critical

ID: 439293

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 3/27/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33943

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/26/2026

Vulnerability Publication Date: 3/26/2026

Reference Information

CVE: CVE-2026-33943

cwe: CWE-94