CVE-2026-34226
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies
CVSS
7.5
High
EPSS
0.5%
p37
KEV
—
Exploit Today
11
0-100
Published: Mar 27, 2026 · Last modified: Jul 15, 2026 · CWE-201 · CWE-359
0.5%EPSS · 30 days0.5%
2026-06-302026-07-16
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
- github.comhttps://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts
- github.comhttps://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751
- github.comhttps://github.com/capricorn86/happy-dom/pull/2117
- github.comhttps://github.com/capricorn86/happy-dom/releases/tag/v20.8.9
- github.comhttps://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-34226
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2452519
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34226.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-444877.5 HIG47.6%
——14Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected URL is no longer proxied. Under affected redirect shapes, the final origin can receive the proxy credential that was intended only for the outbound proxy. This vulnerability is fixed in 0.32.0 and 1.16.0.16hCVE-2026-328297.5 HIG45.1%
——14lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.2dCVE-2026-399129.1 CRI44.0%
——13V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.2dCVE-2026-444867.5 HIG41.4%
——12Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that proxy, the stale Proxy-Authorization header can remain on the redirected request and be sent to the redirect target. This affects Node.js's use of Axios with automatic redirects enabled and an authenticated proxy configuration. Browser adapters are not affected. This vulnerability is fixed in 0.32.0 and 1.16.0.16hCVE-2026-428809.6 CRI39.8%
——12Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue has been patched in versions 3.2.11 and 3.3.9.2dCVE-2026-54838.5 HIG39.0%
——12A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.2d