Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

Summary A code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution RCE by injecting arbitrary JavaScript expressions inside export declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content...