High severity7.5NVD Advisory· Published Mar 27, 2026· Updated Apr 1, 2026
CVE-2026-34226
CVE-2026-34226
Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (window.location) instead of the request target URL when fetch(..., { credentials: "include" }) is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
happy-domnpm | < 20.8.9 | 20.8.9 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.tsnvdPatchWEB
- github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751nvdPatchWEB
- github.com/capricorn86/happy-dom/pull/2117nvdIssue TrackingPatchWEB
- github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4gnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-w4gp-fjgq-3q4gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34226ghsaADVISORY
- github.com/capricorn86/happy-dom/releases/tag/v20.8.9nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.