Skip to main content

Angular platform-server EUVDEUVD-2026-38291

| CVE-2026-50556 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 https://github.com/angular/angular GHSA-gxx4-3xcv-f8qx
8.6
CVSS 4.0 · Vendor: https://github.com/angular/angular
Share

Severity by source

Vendor (https://github.com/angular/angular) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.3 CRITICAL

Network-reachable unauthenticated input (PR:N), victim must load the SSR page (UI:R), XSS crosses into the browser security context (S:C) with limited confidentiality and integrity impact and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/angular/angular).

CVSS VectorVendor: https://github.com/angular/angular

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 22, 2026 - 18:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 22, 2026 - 18:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 18:23 vuln.today
cvss_changed
CVSS changed
Jun 22, 2026 - 18:23 NVD
8.6 (HIGH)
Source Code Evidence Fetched
Jun 15, 2026 - 17:52 vuln.today
Analysis Generated
Jun 15, 2026 - 17:52 vuln.today

DescriptionCVE.org

A Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements.

When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element.

However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances.

The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS).

Impact

This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside a <noscript> element. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement.

Patched Versions

  • 22.0.0-rc.2
  • 21.2.16
  • 20.3.24
  • 19.2.25

Workarounds

If you cannot immediately update your dependencies, you can:

  • Avoid binding user-controlled values inside <noscript> elements.
  • Sanitize any user input placed inside <noscript> to explicitly strip closing </noscript> tags before passing it to the template.

AnalysisAI

Cross-site scripting in @angular/platform-server allows attackers to inject executing script into SSR-rendered pages that bind user-controlled text inside a <noscript> element. The bundled domino DOM emulator omitted <noscript> from raw-text closing-tag escaping, so a </noscript> substring in dynamic content broke out of the element and ran an attacker-controlled <script> sibling in the victim's origin. No public exploit identified at time of analysis, but a fix-validating test in the upstream patch effectively demonstrates the technique.

Technical ContextAI

@angular/platform-server is Angular's Server-Side Rendering (SSR) package, which uses the domino library as a server-side DOM implementation. Under SSR, domino runs with scripting enabled, which means HTML treats <noscript> as a raw-text element - its text content must be serialized with any internal </noscript> prefix escaped to &lt;/noscript, the same way <script>, <style>, <iframe>, etc. are handled. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) caused by domino's hasRawContent table omitting the NOSCRIPT entry in lib/NodeUtils.js, so the escapeMatchingClosingTag step was skipped entirely for <noscript> content. Affected CPE is pkg:npm/@angular/platform-server; the underlying fix lives in angular/domino PR #29 and also corrects a related UTF-16 offset bug where astral characters (emoji) preceding a closing tag could shift the escape position and re-introduce breakouts for other raw-text tags like <iframe> and <style>.

RemediationAI

Vendor-released patches: upgrade @angular/platform-server to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 depending on your release line, per the Angular advisory at https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx (underlying domino fix in https://github.com/angular/domino/pull/29). If you cannot upgrade immediately, the vendor-supplied workarounds are to (a) stop binding user-controlled values inside <noscript> elements in any SSR template, and (b) where such bindings must remain, sanitize the input by stripping or escaping </noscript> substrings before passing the value to the template - note this only blunts the specific breakout vector and does not address the related astral-character offset bug also fixed in domino PR #29, which is why upgrading is preferred. Audit Angular templates for {{ value }} and [textContent] bindings inside <noscript> as the highest-priority review target.

Vendor StatusVendor

Share

EUVD-2026-38291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy