Main Vulnerability Database SB2026042771

SB2026042771 - Insertion of Sensitive Information Into Sent Data in Happy DOM

Published: April 27, 2026

Security Bulletin ID SB2026042771

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-34226)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into sent data in getRequestHeaders() in packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts when processing fetch requests with credentials set to include. A remote attacker can trigger a cross-origin request to cause cookies from the current page origin to be sent to the request destination.

This issue affects authenticated or session-based flows that rely on browser-like fetch behavior across different origins.

Remediation

Install update from vendor's website.

SB2026042771 - Insertion of Sensitive Information Into Sent Data in Happy DOM

Breakdown by Severity

Description

Remediation

References

Please verify you're human