CVE-2026-34226

Summary

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (window.location) instead of the request target URL when fetch(..., { credentials: "include" }) is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
capricorn86happy-dom< 20.8.9affected

Weaknesses

  • CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data
  • CWE-359: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References