Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/happy-dom@19.0.0
Typenpm
Namespace
Namehappy-dom
Version19.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version20.8.9
Latest_non_vulnerable_version20.8.9
Affected_by_vulnerabilities
0
url VCID-hvjv-qpkc-kug7
vulnerability_id VCID-hvjv-qpkc-kug7
summary Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61927.json
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61927.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61927
reference_id
reference_type
scores
0
value 0.00581
scoring_system epss
scoring_elements 0.69401
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61927
2
reference_url https://github.com/capricorn86/happy-dom
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/capricorn86/happy-dom
3
reference_url https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97
4
reference_url https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0
reference_id
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403177
reference_id 2403177
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403177
6
reference_url https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405
reference_id 819d15ba289495439eda8be360d92a614ce22405
reference_type
scores
0
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T19:58:56Z/
url https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61927
reference_id CVE-2025-61927
reference_type
scores
0
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61927
8
reference_url https://github.com/advisories/GHSA-37j7-fg3j-429f
reference_id GHSA-37j7-fg3j-429f
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-37j7-fg3j-429f
9
reference_url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f
reference_id GHSA-37j7-fg3j-429f
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T19:58:56Z/
url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f
10
reference_url https://access.redhat.com/errata/RHSA-2025:23225
reference_id RHSA-2025:23225
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:23225
fixed_packages
0
url pkg:npm/happy-dom@20.0.0
purl pkg:npm/happy-dom@20.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-stj3-4agu-jbh7
1
vulnerability VCID-vu96-bjvq-4bex
2
vulnerability VCID-vw96-jr5m-8uc2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@20.0.0
aliases CVE-2025-61927, GHSA-37j7-fg3j-429f
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hvjv-qpkc-kug7
1
url VCID-stj3-4agu-jbh7
vulnerability_id VCID-stj3-4agu-jbh7
summary In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62410.json
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-62410.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62410
reference_id
reference_type
scores
0
value 0.00137
scoring_system epss
scoring_elements 0.33382
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62410
2
reference_url https://github.com/capricorn86/happy-dom
reference_id
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/capricorn86/happy-dom
3
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2404254
reference_id 2404254
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2404254
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-62410
reference_id CVE-2025-62410
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-62410
5
reference_url https://github.com/capricorn86/happy-dom/commit/f4bd4ebe3fe5abd2be2bcea1c07043c8b0b70eea
reference_id f4bd4ebe3fe5abd2be2bcea1c07043c8b0b70eea
reference_type
scores
0
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-15T18:15:58Z/
url https://github.com/capricorn86/happy-dom/commit/f4bd4ebe3fe5abd2be2bcea1c07043c8b0b70eea
6
reference_url https://github.com/advisories/GHSA-qpm2-6cq5-7pq5
reference_id GHSA-qpm2-6cq5-7pq5
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qpm2-6cq5-7pq5
7
reference_url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5
reference_id GHSA-qpm2-6cq5-7pq5
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-10-15T18:15:58Z/
url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5
fixed_packages
0
url pkg:npm/happy-dom@20.0.2
purl pkg:npm/happy-dom@20.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-vu96-bjvq-4bex
1
vulnerability VCID-vw96-jr5m-8uc2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@20.0.2
aliases CVE-2025-62410, GHSA-qpm2-6cq5-7pq5
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-stj3-4agu-jbh7
2
url VCID-vu96-bjvq-4bex
vulnerability_id VCID-vu96-bjvq-4bex
summary Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34226.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34226.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34226
reference_id
reference_type
scores
0
value 0.00054
scoring_system epss
scoring_elements 0.17277
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34226
2
reference_url https://github.com/capricorn86/happy-dom
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/capricorn86/happy-dom
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34226
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34226
4
reference_url https://github.com/capricorn86/happy-dom/pull/2117
reference_id 2117
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/
url https://github.com/capricorn86/happy-dom/pull/2117
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452519
reference_id 2452519
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452519
6
reference_url https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751
reference_id 68324c21d7b98f53f7bb5a7b3e185bda7106e751
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/
url https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751
7
reference_url https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts
reference_id FetchRequestHeaderUtility.ts
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/
url https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts
8
reference_url https://github.com/advisories/GHSA-w4gp-fjgq-3q4g
reference_id GHSA-w4gp-fjgq-3q4g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w4gp-fjgq-3q4g
9
reference_url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g
reference_id GHSA-w4gp-fjgq-3q4g
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/
url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g
10
reference_url https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9
reference_id v20.8.9
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/
url https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9
fixed_packages
0
url pkg:npm/happy-dom@20.8.9
purl pkg:npm/happy-dom@20.8.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@20.8.9
aliases CVE-2026-34226, GHSA-w4gp-fjgq-3q4g
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vu96-bjvq-4bex
3
url VCID-vw96-jr5m-8uc2
vulnerability_id VCID-vw96-jr5m-8uc2
summary Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization. Version 20.8.8 fixes the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33943.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33943.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33943
reference_id
reference_type
scores
0
value 0.00085
scoring_system epss
scoring_elements 0.24586
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33943
2
reference_url https://github.com/capricorn86/happy-dom
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/capricorn86/happy-dom
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33943
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33943
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2452522
reference_id 2452522
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2452522
5
reference_url https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c
reference_id 5437fdf8f13adb9590f9f52616d9f69c3ee8db3c
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-27T21:58:00Z/
url https://github.com/capricorn86/happy-dom/commit/5437fdf8f13adb9590f9f52616d9f69c3ee8db3c
6
reference_url https://github.com/advisories/GHSA-6q6h-j7hj-3r64
reference_id GHSA-6q6h-j7hj-3r64
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6q6h-j7hj-3r64
7
reference_url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64
reference_id GHSA-6q6h-j7hj-3r64
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-27T21:58:00Z/
url https://github.com/capricorn86/happy-dom/security/advisories/GHSA-6q6h-j7hj-3r64
8
reference_url https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8
reference_id v20.8.8
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-27T21:58:00Z/
url https://github.com/capricorn86/happy-dom/releases/tag/v20.8.8
fixed_packages
0
url pkg:npm/happy-dom@20.8.8
purl pkg:npm/happy-dom@20.8.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-vu96-bjvq-4bex
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@20.8.8
aliases CVE-2026-33943, GHSA-6q6h-j7hj-3r64
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vw96-jr5m-8uc2
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@19.0.0