CVE-2026-34226: CWE-201: Insertion of Sensitive Information Into Sent Data in capricorn86 happy-dom
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
AI Analysis
Technical Summary
Happy DOM is a JavaScript-based headless browser implementation. Versions before 20.8.9 incorrectly attach cookies from the current page origin (window.location) rather than the request target URL when fetch is called with credentials set to "include." This results in sensitive cookie data being sent to unintended destinations, violating the same-origin policy and potentially exposing sensitive information. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-359 (Exposure of Private Information Through Query Strings in GET Request). The issue is resolved in version 20.8.9.
Potential Impact
An attacker or malicious endpoint could receive cookies belonging to a different origin, potentially exposing sensitive session or authentication tokens. This can lead to unauthorized access or session hijacking if the leaked cookies contain sensitive authentication data. The vulnerability does not affect integrity or availability but has a high confidentiality impact as indicated by the CVSS vector.
Mitigation Recommendations
Users of happy-dom should upgrade to version 20.8.9 or later, where this issue is fixed. No other mitigation is indicated or required as the vendor has provided an official fix. Patch status is confirmed by the version update note in the advisory.
CVE-2026-34226: CWE-201: Insertion of Sensitive Information Into Sent Data in capricorn86 happy-dom
Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Happy DOM is a JavaScript-based headless browser implementation. Versions before 20.8.9 incorrectly attach cookies from the current page origin (window.location) rather than the request target URL when fetch is called with credentials set to "include." This results in sensitive cookie data being sent to unintended destinations, violating the same-origin policy and potentially exposing sensitive information. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-359 (Exposure of Private Information Through Query Strings in GET Request). The issue is resolved in version 20.8.9.
Potential Impact
An attacker or malicious endpoint could receive cookies belonging to a different origin, potentially exposing sensitive session or authentication tokens. This can lead to unauthorized access or session hijacking if the leaked cookies contain sensitive authentication data. The vulnerability does not affect integrity or availability but has a high confidentiality impact as indicated by the CVSS vector.
Mitigation Recommendations
Users of happy-dom should upgrade to version 20.8.9 or later, where this issue is fixed. No other mitigation is indicated or required as the vendor has provided an official fix. Patch status is confirmed by the version update note in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-26T16:22:29.033Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c6f6ca3c064ed76ff81bc0
Added to database: 3/27/2026, 9:29:46 PM
Last enriched: 4/4/2026, 10:54:27 AM
Last updated: 5/11/2026, 4:57:14 PM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.