Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/happy-dom@13.1.3

Type npm

Namespace

Name happy-dom

Version 13.1.3

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 20.8.9

Latest_non_vulnerable_version 20.8.9

Affected_by_vulnerabilities

url VCID-37t5-mg2s-dfbh

vulnerability_id VCID-37t5-mg2s-dfbh

summary happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-51757

reference_id

reference_type

scores

value	0.00662
scoring_system	epss
scoring_elements	0.71726
published_at	2026-06-13T12:55:00Z

value	0.00662
scoring_system	epss
scoring_elements	0.71628
published_at	2026-06-11T12:55:00Z

value	0.00662
scoring_system	epss
scoring_elements	0.71713
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-51757

reference_url

https://github.com/capricorn86/happy-dom

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/capricorn86/happy-dom

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-51757

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-51757

reference_url

https://github.com/capricorn86/happy-dom/issues/1585

reference_id

1585

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:51:49Z/

url

https://github.com/capricorn86/happy-dom/issues/1585

reference_url

https://github.com/capricorn86/happy-dom/pull/1586

reference_id

1586

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:51:49Z/

url

https://github.com/capricorn86/happy-dom/pull/1586

reference_url

https://github.com/capricorn86/happy-dom/commit/5ee0b1676d4ce20cc2a70d1c9c8d6f1e3f57efac

reference_id

5ee0b1676d4ce20cc2a70d1c9c8d6f1e3f57efac

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:51:49Z/

url

https://github.com/capricorn86/happy-dom/commit/5ee0b1676d4ce20cc2a70d1c9c8d6f1e3f57efac

reference_url

https://github.com/capricorn86/happy-dom/commit/d23834c232f1cf5519c9418b073f1dcec6b2f0fd

reference_id

d23834c232f1cf5519c9418b073f1dcec6b2f0fd

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:51:49Z/

url

https://github.com/capricorn86/happy-dom/commit/d23834c232f1cf5519c9418b073f1dcec6b2f0fd

reference_url	https://github.com/advisories/GHSA-96g7-g7g9-jxw8
reference_id	GHSA-96g7-g7g9-jxw8
reference_type
scores
url	https://github.com/advisories/GHSA-96g7-g7g9-jxw8

reference_url

https://github.com/capricorn86/happy-dom/security/advisories/GHSA-96g7-g7g9-jxw8

reference_id

GHSA-96g7-g7g9-jxw8

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:51:49Z/

url

https://github.com/capricorn86/happy-dom/security/advisories/GHSA-96g7-g7g9-jxw8

reference_url

https://github.com/capricorn86/happy-dom/releases/tag/v15.10.2

reference_id

v15.10.2

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-11-06T19:51:49Z/

url

https://github.com/capricorn86/happy-dom/releases/tag/v15.10.2

fixed_packages

url pkg:npm/happy-dom@15.10.2

purl pkg:npm/happy-dom@15.10.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hvjv-qpkc-kug7

vulnerability	VCID-vu96-bjvq-4bex

vulnerability	VCID-vw96-jr5m-8uc2

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@15.10.2

aliases CVE-2024-51757, GHSA-96g7-g7g9-jxw8

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-37t5-mg2s-dfbh

url VCID-hvjv-qpkc-kug7

vulnerability_id VCID-hvjv-qpkc-kug7

summary Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61927.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61927.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61927

reference_id

reference_type

scores

value	0.00581
scoring_system	epss
scoring_elements	0.69505
published_at	2026-06-13T12:55:00Z

value	0.00581
scoring_system	epss
scoring_elements	0.69492
published_at	2026-06-12T12:55:00Z

value	0.00581
scoring_system	epss
scoring_elements	0.69401
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61927

reference_url

https://github.com/capricorn86/happy-dom

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/capricorn86/happy-dom

reference_url

https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97

reference_url

https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2403177
reference_id	2403177
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2403177

reference_url

https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405

reference_id

819d15ba289495439eda8be360d92a614ce22405

reference_type

scores

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T19:58:56Z/

url

https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61927

reference_id

CVE-2025-61927

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61927

reference_url

https://github.com/advisories/GHSA-37j7-fg3j-429f

reference_id

GHSA-37j7-fg3j-429f

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-37j7-fg3j-429f

reference_url

https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f

reference_id

GHSA-37j7-fg3j-429f

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	7.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T19:58:56Z/

url

https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f

reference_url	https://access.redhat.com/errata/RHSA-2025:23225
reference_id	RHSA-2025:23225
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:23225

fixed_packages

url pkg:npm/happy-dom@20.0.0

purl pkg:npm/happy-dom@20.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-stj3-4agu-jbh7

vulnerability	VCID-vu96-bjvq-4bex

vulnerability	VCID-vw96-jr5m-8uc2

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@20.0.0

aliases CVE-2025-61927, GHSA-37j7-fg3j-429f

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hvjv-qpkc-kug7

url VCID-vu96-bjvq-4bex

vulnerability_id VCID-vu96-bjvq-4bex

summary Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34226.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34226.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34226

reference_id

reference_type

scores

value	0.00054
scoring_system	epss
scoring_elements	0.17456
published_at	2026-06-13T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17277
published_at	2026-06-11T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.1744
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34226

reference_url

https://github.com/capricorn86/happy-dom

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/capricorn86/happy-dom

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34226

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34226

reference_url

https://github.com/capricorn86/happy-dom/pull/2117

reference_id

2117

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/

url

https://github.com/capricorn86/happy-dom/pull/2117

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452519
reference_id	2452519
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452519

reference_url

https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751

reference_id

68324c21d7b98f53f7bb5a7b3e185bda7106e751

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/

url

https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751

reference_url

https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts

reference_id

FetchRequestHeaderUtility.ts

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/

url

https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts

reference_url

https://github.com/advisories/GHSA-w4gp-fjgq-3q4g

reference_id

GHSA-w4gp-fjgq-3q4g

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w4gp-fjgq-3q4g

reference_url

https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g

reference_id

GHSA-w4gp-fjgq-3q4g

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/

url

https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g

reference_url

https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9

reference_id

v20.8.9

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-31T14:25:16Z/

url

https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9

fixed_packages

url	pkg:npm/happy-dom@20.8.9
purl	pkg:npm/happy-dom@20.8.9
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@20.8.9

aliases CVE-2026-34226, GHSA-w4gp-fjgq-3q4g

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vu96-bjvq-4bex

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/happy-dom@13.1.3

Package Instance