Happy DOM Code Injection and Express XSS Sanitizer Bypass Patched
Two high-severity flaws were disclosed in widely used JavaScript ecosystem packages, including a remote code execution issue in Happy DOM tracked as CVE-2026-33943 and an XSS protection bypass in Express XSS Sanitizer tracked as CVE-2026-33979. In Happy DOM versions 15.10.0 through 20.8.7, unsanitized names inside export { } declarations in the ECMAScriptModuleCompiler could be interpolated into generated code and executed, allowing arbitrary JavaScript injection through ES module scripts. The flaw is classified as CWE-94 and was fixed in version 20.8.8.
Express XSS Sanitizer versions prior to 2.0.2 were found to mishandle restrictive allowedTags and allowedAttributes settings, causing explicitly empty configurations to be ignored and weakening intended sanitization controls. That behavior could leave applications exposed to cross-site scripting despite developers attempting to enforce strict filtering. The issue is tracked as CVE-2026-33979, mapped to CWE-79 and CWE-183, and was corrected in version 2.0.2 by ensuring user-supplied sanitization settings are passed through as intended.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Express XSS Sanitizer fixes bypass in version 2.0.2
Version 2.0.2 changed validation logic so explicitly provided empty `allowedTags` or `allowedAttributes` values are respected and passed directly to sanitize-html. This fixed the permissive sanitization behavior that could increase XSS risk.
GitHub security advisories receives CVE-2026-33979 report
The CVE record states that security-advisories@github.com received the Express XSS Sanitizer vulnerability report on March 27, 2026. The issue was classified under CWE-79 and CWE-183.
Express XSS Sanitizer flaw found in versions prior to 2.0.2
A vulnerability in Express XSS Sanitizer caused explicitly restrictive `allowedTags` or `allowedAttributes` settings to be ignored, potentially weakening intended XSS protections. The issue affected versions before 2.0.2 across Express 4.x and 5.x middleware deployments.
Happy DOM fixes CVE-2026-33943 in version 20.8.8
Happy DOM addressed the ECMAScriptModuleCompiler code injection issue by releasing version 20.8.8. The fix closed the sanitization bypass that allowed executable code injection through crafted ES module exports.
Happy DOM code injection flaw affects versions 15.10.0 through 20.8.7
A code injection vulnerability in Happy DOM's ECMAScriptModuleCompiler allowed unsanitized export names in `export { }` declarations to be interpolated into generated code and executed. The flaw could enable remote code execution via injected JavaScript expressions, including template literal payloads using backticks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-33979 - Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
cvefeed.io
Open sourceCVE-2026-33943 - Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Remote Code Execution Vulnerability in Happy DOM JavaScript Library
A critical security vulnerability, tracked as CVE-2025-61927, has been discovered in the Happy DOM JavaScript library, which is widely used for server-side rendering and testing frameworks. The flaw allows attackers to escape the virtual machine (VM) context, potentially leading to remote code execution on affected systems. Happy DOM, with over 2.7 million weekly downloads, is integrated into numerous applications, amplifying the potential impact of this vulnerability. The root cause of the issue lies in improper isolation of the Node.js VM context in Happy DOM versions 19 and earlier, which fails to adequately sandbox untrusted code. Security researcher Mas0nShi identified that attackers can exploit the JavaScript constructor inheritance chain to access the global Function constructor, enabling arbitrary code execution. In environments using the CommonJS module system, attackers can further leverage the require() function to import and execute additional modules, broadening the attack surface. While ECMAScript module (ESM) environments restrict some capabilities, they are still affected by the core VM context escape. The vulnerability has been assigned a CVSS score of 9.4, underscoring its severity and the urgency for remediation. Millions of applications that rely on Happy DOM for testing or server-side rendering are at risk if they have not updated to a patched version. The flaw enables attackers to bypass intended security boundaries, potentially compromising the host system and any sensitive data processed within the affected environment. Security advisories recommend immediate updates to the latest version of Happy DOM to mitigate the risk. Organizations are urged to review their software supply chain for dependencies on Happy DOM and to apply patches as soon as possible. The vulnerability highlights the risks associated with improper sandboxing in JavaScript environments, especially in widely adopted open-source libraries. No reports of active exploitation have been confirmed at this time, but the public disclosure and technical details increase the likelihood of exploitation attempts. Security teams should monitor for suspicious activity related to Node.js processes and review application logs for signs of compromise. The incident serves as a reminder of the importance of rigorous security testing and isolation in libraries that execute untrusted code. Developers and DevOps teams should prioritize dependency management and vulnerability scanning to reduce exposure to similar flaws in the future.
Mar 21, 2026
Stored XSS in sanitize-html Defaults via Disallowed `xmp` Tag Bypass
A vulnerability tracked as **CVE-2026-44990** allows stored cross-site scripting in `sanitize-html` when applications use the library’s default configuration and later render sanitized user content as trusted HTML. The flaw affects versions prior to **2.17.4** and stems from the handling of the disallowed `xmp` element: because `htmlparser2` treats `xmp` as a raw-text tag, attacker-supplied markup inside it is preserved as text during sanitization but can be emitted back as active HTML or JavaScript under the default `disallowedTagsMode: 'discard'` behavior. GitHub’s advisory and the upstream patch say the bypass can let payloads such as `<script>`, `img` event handlers, and `svg`-embedded script content survive filtering and execute in a victim’s browser. The fix in **2.17.4** adds `xmp` to `nonTextTags` so content inside a disallowed `xmp` tag is dropped instead of re-emitted, and regression tests were added to confirm the malicious content is removed. The issue was reported by **Vincenzo Turturro** (`sushi-gif`), and users of affected `sanitize-html` deployments, including those in **ApostropheCMS**, were urged to update immediately.
Jun 13, 2026
DOMPurify Flaws Enable XSS Bypass Through ADD_ATTR and Prototype Pollution
Two newly disclosed flaws in **DOMPurify** can let attackers bypass the library’s sanitization logic and inject malicious attributes or unsafe URLs into supposedly cleaned HTML. One issue, tracked as **`GHSA-CJMM-F4JC-QW8R`**, affects deployments that use a predicate function with the `ADD_ATTR` configuration. If that predicate approves URI-bearing attributes such as `href` or `src`, DOMPurify can skip later mandatory safety checks, including protocol validation, allowing dangerous values such as `javascript:`, `vbscript:`, or `data:` to pass through and potentially trigger DOM-based cross-site scripting. A second flaw, **`GHSA-CJ63-JHHR-WCXV`**, stems from prototype pollution when the `USE_PROFILES` option is enabled. In vulnerable versions, DOMPurify initializes `ALLOWED_ATTR` as a standard JavaScript array, allowing inherited properties from `Array.prototype` to influence attribute validation. An attacker able to pollute `Array.prototype` with entries such as `onclick` can cause DOMPurify to treat malicious event-handler attributes as explicitly allowed, creating another path to XSS. Together, the disclosures show that applications relying on DOMPurify may remain exposed if they use dynamic attribute approval or operate in environments where prototype pollution is possible.
Apr 3, 2026