CVE-2026-34226 PUBLISHED

Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies

Assigner: GitHub_M
Reserved: 26.03.2026 Published: 27.03.2026 Updated: 27.03.2026

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (window.location) instead of the request target URL when fetch(..., { credentials: "include" }) is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	capricorn86
Product	happy-dom
Versions	Version < 20.8.9 is affected

References

Problem Types

CWE-201: Insertion of Sensitive Information Into Sent Data CWE
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE