8.6

CVE-2026-50556

Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
AngularAngular SwPlatformnode.js Version <= 18.2.14
AngularAngular SwPlatformnode.js Version >= 19.0.0 < 19.2.25
AngularAngular SwPlatformnode.js Version >= 20.0.0 < 20.3.24
AngularAngular SwPlatformnode.js Version >= 21.0.0 < 21.2.16
AngularAngular Version22.0.0 Updatenext0 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext1 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext10 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext11 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext12 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext2 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext3 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext4 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext5 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext6 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext7 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext8 SwPlatformnode.js
AngularAngular Version22.0.0 Updatenext9 SwPlatformnode.js
AngularAngular Version22.0.0 Updaterc0 SwPlatformnode.js
AngularAngular Version22.0.0 Updaterc1 SwPlatformnode.js
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.24% 0.149
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com 8.6 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/angular/domino/pull/29
Patch
Issue Tracking
https://github.com/angular/angular/issues/68903
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2491459
Third Party Advisory
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50556.json
Third Party Advisory
https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2026-50556
Third Party Advisory