{
  "threat_severity" : "Important",
  "public_date" : "2026-03-27T21:15:19Z",
  "bugzilla" : {
    "description" : "happy-dom: Happy DOM: Remote Code Execution via JavaScript expression injection",
    "id" : "2452522",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452522"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-917",
  "details" : [ "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.", "A flaw was found in Happy DOM, a JavaScript implementation of a web browser. This vulnerability allows a remote attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions. The `ECMAScriptModuleCompiler` component fails to properly sanitize content within `export { }` declarations in ES module scripts, leading to the direct execution of malicious code." ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-26/gateway-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift4/ose-agent-installer-ui-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33943\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33943\nhttps://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c\nhttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.8\nhttps://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64" ],
  "name" : "CVE-2026-33943",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}