7.5
CVE-2026-34226
- EPSS 0.41%
- Veröffentlicht 27.03.2026 21:17:24
- Zuletzt bearbeitet 01.04.2026 13:26:49
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginHappy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Capricorn86 ≫ Happy Dom SwPlatformnodejs Version < 20.8.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.323 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-201 Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g
https://github.com/capricorn86/happy-dom/pull/2117
https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751
https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts
https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9