Vulnerability Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Capricorn86 | Happy Dom | < 20.8.9 |
Related Weaknesses (CWE)
References
- https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca6964Patch
- https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bdaPatch
- https://github.com/capricorn86/happy-dom/pull/2117Issue TrackingPatch
- https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9ProductRelease Notes
- https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4gExploitVendor Advisory
FAQ
What is CVE-2026-34226?
CVE-2026-34226 is a vulnerability with a CVSS score of 7.5 (HIGH). Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of ...
How severe is CVE-2026-34226?
CVE-2026-34226 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34226?
Check the references section above for vendor advisories and patch information. Affected products include: Capricorn86 Happy Dom.