Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    64 vulnerabilities by angular

    CVE-2026-50556 (GCVE-0-2026-50556)

    Vulnerability from nvd – Published: 2026-06-22 15:38 – Updated: 2026-07-03 12:04
    VLAI
    Title
    Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.16
    Affected: >= 20.0.0-next.0, < 20.3.24
    Affected: >= 19.0.0-next.0, < 19.2.25
    Affected: <= 18.2.14
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50556",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T21:14:35.418340Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T21:17:45.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T15:38:28.166Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in @angular/platform-server. This Cross-Site Scripting (XSS) vulnerability exists in its DOM emulation dependency, domino, when handling the content of `\u003cnoscript\u003e` elements during server-side rendering. A remote attacker could exploit this by injecting unescaped closing `\u003c/noscript\u003e` tags within dynamic text content. This allows for the execution of arbitrary code in the user\u0027s browser context, potentially leading to information disclosure or other malicious activities."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:57.639Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-50556"
              },
              {
                "name": "RHBZ#2491459",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491459"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50556.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T18:02:18.131Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T15:38:28.166Z",
                "value": "Made public."
              }
            ],
            "title": "@angular/platform-server: domino: Angular Platform Server: Cross-Site Scripting via unescaped `\u003c/noscript\u003e` tags in dynamic content",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.24"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server\u0027s DOM emulation dependency (domino) when serializing the content of \u003cnoscript\u003e elements. When rendering dynamic text content inside a \u003cnoscript\u003e element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning \u003cnoscript\u003e is treated as a raw-text element. However, domino\u0027s serializer completely omitted \u003cnoscript\u003e from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of \u003c/noscript\u003e in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. \u003cnoscript\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/noscript\u003e). When parsed by a browser, it closes the \u003cnoscript\u003e block early, allowing the injected \u003cscript\u003e block to execute in the user\u0027s browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:38:28.166Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx"
            },
            {
              "name": "https://github.com/angular/angular/issues/68903",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/issues/68903"
            },
            {
              "name": "https://github.com/angular/domino/pull/29",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/domino/pull/29"
            }
          ],
          "source": {
            "advisory": "GHSA-gxx4-3xcv-f8qx",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Missing `\u003cnoscript\u003e` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50556",
        "datePublished": "2026-06-22T15:38:28.166Z",
        "dateReserved": "2026-06-04T21:34:34.426Z",
        "dateUpdated": "2026-07-03T12:04:57.639Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50555 (GCVE-0-2026-50555)

    Vulnerability from nvd – Published: 2026-06-22 15:37 – Updated: 2026-06-22 17:58
    VLAI
    Title
    Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @angular/platform-server
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of raw-text elements (such as <script>, <style>, and <iframe>). domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters—such as emojis—occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. </script>, </style>, or </iframe>), the index offset calculation in domino's replacement logic shifted. This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., 😀</iframe><script>alert(1)</script>). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent <script> block, leading to same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.16
    Affected: >= 20.0.0-next.0, < 20.3.24
    Affected: >= 19.0.0-next.0, < 19.2.25
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50555",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:56:51.469447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:58:33.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.24"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server\u0027s DOM emulation dependency (domino) when serializing the content of raw-text elements (such as \u003cscript\u003e, \u003cstyle\u003e, and \u003ciframe\u003e). domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters\u2014such as emojis\u2014occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. \u003c/script\u003e, \u003c/style\u003e, or \u003c/iframe\u003e), the index offset calculation in domino\u0027s replacement logic shifted. This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., \ud83d\ude00\u003c/iframe\u003e\u003cscript\u003ealert(1)\u003c/script\u003e). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent \u003cscript\u003e block, leading to same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:37:29.943Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7f"
            },
            {
              "name": "https://github.com/angular/domino/pull/29",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/domino/pull/29"
            }
          ],
          "source": {
            "advisory": "GHSA-hqr9-c56f-3x7f",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in @angular/platform-server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50555",
        "datePublished": "2026-06-22T15:37:29.943Z",
        "dateReserved": "2026-06-04T21:34:34.425Z",
        "dateUpdated": "2026-06-22T17:58:33.065Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50184 (GCVE-0-2026-50184)

    Vulnerability from nvd – Published: 2026-06-22 15:42 – Updated: 2026-06-23 13:48
    VLAI
    Title
    Angular: Request Credential & Cache Policy Stripping in Angular Service Worker
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50184",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:48:06.163682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:48:24.684Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: \u0027omit\u0027) and the HTTP cache mode configuration (such as cache: \u0027no-store\u0027). These are reverted back to standard browser-default parameters (credentials: \u0027same-origin\u0027 and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker\u0027s engine, making private page states accessible or persistent inside the client\u0027s local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:50:48.049Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv"
            },
            {
              "name": "https://github.com/angular/angular/pull/68904",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68904"
            }
          ],
          "source": {
            "advisory": "GHSA-95qp-cmmw-mgqv",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Request Credential \u0026 Cache Policy Stripping in Angular Service Worker"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50184",
        "datePublished": "2026-06-22T15:42:05.167Z",
        "dateReserved": "2026-06-03T22:05:13.644Z",
        "dateUpdated": "2026-06-23T13:48:24.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50171 (GCVE-0-2026-50171)

    Vulnerability from nvd – Published: 2026-06-22 15:49 – Updated: 2026-06-23 16:02
    VLAI
    Title
    Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-834 - Excessive Iteration
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:16:53.849153Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T16:02:07.902Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.  This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-834",
                  "description": "CWE-834: Excessive Iteration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:49:51.774Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr"
            }
          ],
          "source": {
            "advisory": "GHSA-p3vc-36g9-x9gr",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50171",
        "datePublished": "2026-06-22T15:49:51.774Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-23T16:02:07.902Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50170 (GCVE-0-2026-50170)

    Vulnerability from nvd – Published: 2026-06-22 15:39 – Updated: 2026-06-23 16:00
    VLAI
    Title
    Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50170",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T16:00:13.983210Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T16:00:21.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user\u0027s private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:01:17.572Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x"
            },
            {
              "name": "https://github.com/angular/angular/pull/67964",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/67964"
            }
          ],
          "source": {
            "advisory": "GHSA-q6f4-qqrg-jv6x",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50170",
        "datePublished": "2026-06-22T15:39:08.877Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-23T16:00:21.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50169 (GCVE-0-2026-50169)

    Vulnerability from nvd – Published: 2026-06-22 15:41 – Updated: 2026-06-22 17:32
    VLAI
    Title
    Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50169",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:32:21.478134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:32:36.408Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: \u0027error\u0027), falling back to the browser\u0027s default \u0027follow\u0027 strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary (\"Confused Deputy\") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:46:26.364Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m"
            },
            {
              "name": "https://github.com/angular/angular/pull/67494",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/67494"
            }
          ],
          "source": {
            "advisory": "GHSA-gv2q-mqqv-365m",
            "discovery": "UNKNOWN"
          },
          "title": "Angular Service Worker Policy-Bypass \u0026 Credential-Stripping Vulnerabilities"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50169",
        "datePublished": "2026-06-22T15:41:17.125Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-22T17:32:36.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50168 (GCVE-0-2026-50168)

    Vulnerability from nvd – Published: 2026-06-22 15:39 – Updated: 2026-06-22 17:59
    VLAI
    Title
    Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:59:41.275571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:59:49.283Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node\u0027s strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino\u0027s internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:47:10.871Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-xrxm-cp7j-8xf6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-xrxm-cp7j-8xf6"
            },
            {
              "name": "https://github.com/angular/angular/pull/68928",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68928"
            }
          ],
          "source": {
            "advisory": "GHSA-xrxm-cp7j-8xf6",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50168",
        "datePublished": "2026-06-22T15:39:46.193Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-22T17:59:49.283Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46417 (GCVE-0-2026-46417)

    Vulnerability from nvd – Published: 2026-06-22 15:40 – Updated: 2026-06-30 03:15
    VLAI
    Title
    Angular: SSRF via Hostname Hijacking in @angular/platform-server
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-next.12
    Affected: >= 21.0.0-next.0, < 21.2.13
    Affected: >= 20.0.0-next.0, < 20.3.21
    Affected: >= 19.0.0-next.0, < 19.2.22
    Affected: <= 18.2.14
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46417",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:16:15.745160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:18:28.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T15:40:32.527Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:15:36.788Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-46417"
              },
              {
                "name": "RHBZ#2491444",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491444"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T18:01:21.611Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T15:40:32.527Z",
                "value": "Made public."
              }
            ],
            "title": "@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.21"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:48:53.298Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"
            },
            {
              "name": "https://github.com/angular/angular/pull/68570",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68570"
            }
          ],
          "source": {
            "advisory": "GHSA-rfh7-fxqc-q52v",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: SSRF via Hostname Hijacking in @angular/platform-server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46417",
        "datePublished": "2026-06-22T15:40:32.527Z",
        "dateReserved": "2026-05-13T21:04:10.933Z",
        "dateUpdated": "2026-06-30T03:15:36.788Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54268 (GCVE-0-2026-54268)

    Vulnerability from nvd – Published: 2026-06-22 15:31 – Updated: 2026-06-23 16:09
    VLAI
    Title
    Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54268",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T16:07:25.833697Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T16:09:21.239Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:31:47.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm"
            },
            {
              "name": "https://github.com/angular/angular/pull/69197",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69197"
            },
            {
              "name": "https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd"
            }
          ],
          "source": {
            "advisory": "GHSA-48r7-hpm6-gfxm",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54268",
        "datePublished": "2026-06-22T15:31:47.836Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-23T16:09:21.239Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54267 (GCVE-0-2026-54267)

    Vulnerability from nvd – Published: 2026-06-22 15:30 – Updated: 2026-06-22 16:00
    VLAI
    Title
    Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-471 - Modification of Assumed-Immutable Data (MAID)
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54267",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:00:23.479828Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:00:36.910Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application\u0027s runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a \u003cscript\u003e tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById(\u0027ng-state\u0027) and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., \u003cdiv [id]=\"userInput\"\u003e or \u003ca id=\"ng-state\"\u003e) before the genuine \u003cscript\u003e tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById(\u0027ng-state\u0027), the browser returns the attacker\u0027s clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-471",
                  "description": "CWE-471: Modification of Assumed-Immutable Data (MAID)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:30:48.699Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg"
            },
            {
              "name": "https://github.com/angular/angular/pull/69064",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69064"
            },
            {
              "name": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa"
            }
          ],
          "source": {
            "advisory": "GHSA-rgjc-h3x7-9mwg",
            "discovery": "UNKNOWN"
          },
          "title": "Angular Client Hydration DOM Clobbering \u0026 Response-Cache Poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54267",
        "datePublished": "2026-06-22T15:30:48.699Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-22T16:00:36.910Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54266 (GCVE-0-2026-54266)

    Vulnerability from nvd – Published: 2026-06-22 15:28 – Updated: 2026-06-22 17:56
    VLAI
    Title
    Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-328 - Use of Weak Hash
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54266",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:55:58.476641Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:56:12.976Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular\u0027s HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328: Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:28:42.561Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-39pv-4j6c-2g6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-39pv-4j6c-2g6v"
            },
            {
              "name": "https://github.com/angular/angular/pull/69153",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69153"
            },
            {
              "name": "https://github.com/angular/angular/commit/5f36274da3f961430ae72865159afa02a1dd9133",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/5f36274da3f961430ae72865159afa02a1dd9133"
            }
          ],
          "source": {
            "advisory": "GHSA-39pv-4j6c-2g6v",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54266",
        "datePublished": "2026-06-22T15:28:42.561Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-22T17:56:12.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54265 (GCVE-0-2026-54265)

    Vulnerability from nvd – Published: 2026-06-22 15:27 – Updated: 2026-06-22 15:54
    VLAI
    Title
    Angular: Two-Way Property Binding Sanitization Bypass (XSS)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54265",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:54:52.170678Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:54:58.231Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]=\"value\" or bindon-innerHTML=\"value\"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular\u0027s built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:27:38.802Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5"
            },
            {
              "name": "https://github.com/angular/angular/pull/69107",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69107"
            },
            {
              "name": "https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4"
            }
          ],
          "source": {
            "advisory": "GHSA-58w9-8g37-x9v5",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Two-Way Property Binding Sanitization Bypass (XSS)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54265",
        "datePublished": "2026-06-22T15:27:38.802Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-22T15:54:58.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54264 (GCVE-0-2026-54264)

    Vulnerability from nvd – Published: 2026-06-22 15:32 – Updated: 2026-06-23 13:46
    VLAI
    Title
    Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54264",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:46:15.588316Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:46:25.169Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:32:48.163Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p"
            },
            {
              "name": "https://github.com/angular/angular/pull/69029",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69029"
            },
            {
              "name": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08"
            }
          ],
          "source": {
            "advisory": "GHSA-qxh6-94w6-9r5p",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54264",
        "datePublished": "2026-06-22T15:32:48.163Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-23T13:46:25.169Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-52725 (GCVE-0-2026-52725)

    Vulnerability from nvd – Published: 2026-06-22 15:18 – Updated: 2026-06-22 15:59
    VLAI
    Title
    Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0 < 21.2.15
    Affected: >= 20.0.0-next.0 < 20.3.22
    Affected: >= 19.0.0-next.0 < 19.2.22
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-52725",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:59:13.494116Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:59:33.229Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0 \u003c 19.2.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a \u003cscript\u003e or namespaced script element (such as \u003csvg:script\u003e). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a \u003cscript\u003e tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:18:43.036Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-692r-grfm-v8x7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-692r-grfm-v8x7"
            },
            {
              "name": "https://github.com/angular/angular/pull/68686",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68686"
            },
            {
              "name": "https://github.com/angular/angular/pull/68713",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68713"
            }
          ],
          "source": {
            "advisory": "GHSA-692r-grfm-v8x7",
            "discovery": "UNKNOWN"
          },
          "title": "Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-52725",
        "datePublished": "2026-06-22T15:18:43.036Z",
        "dateReserved": "2026-06-08T14:00:43.571Z",
        "dateUpdated": "2026-06-22T15:59:33.229Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50557 (GCVE-0-2026-50557)

    Vulnerability from nvd – Published: 2026-06-22 15:11 – Updated: 2026-06-22 17:54
    VLAI
    Title
    Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 21.0.0-next.0 < 21.2.15
    Affected: >= 22.0.0-next.0 < 22.0.0-rc.2
    Affected: >= 20.0.0-next.0 < 20.3.22
    Affected: >= 19.0.0-next.0 < 19.2.22
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50557",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:51:06.519025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:54:55.320Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0 \u003c 19.2.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., \u003csvg:script\u003e or \u003c:svg:script\u003e) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular\u0027s script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:11:48.347Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-f3m7-gqxr-g87x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-f3m7-gqxr-g87x"
            },
            {
              "name": "https://github.com/angular/angular/pull/68689",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68689"
            },
            {
              "name": "https://github.com/angular/angular/pull/68868",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68868"
            }
          ],
          "source": {
            "advisory": "GHSA-f3m7-gqxr-g87x",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Template and Attribute Namespace Sanitization Bypass (XSS)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50557",
        "datePublished": "2026-06-22T15:11:48.347Z",
        "dateReserved": "2026-06-04T21:34:34.426Z",
        "dateUpdated": "2026-06-22T17:54:55.320Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50178 (GCVE-0-2026-50178)

    Vulnerability from nvd – Published: 2026-06-22 15:20 – Updated: 2026-06-22 16:04
    VLAI
    Title
    Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension
    Summary
    The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer's host machine. Prior to 21.2.4, This vulnerability is fixed in 21.2.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:04:42.457578Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:04:50.886Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 21.2.4"
                }
              ]
            },
            {
              "product": "Angular.ng-template",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 21.2.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option (located in client/src/client.ts). This setting instructs VS Code to trust all rendered content it receives, which enables active elements such as command: URIs. However, the background Angular Language Server process fails to escape or sanitize brackets, raw links, and control characters from JSDoc strings before forwarding the hover Markdown content (located in server/src/handlers/hover.ts and server/src/text_render.ts). An attacker can leverage this behavior by crafting a project TypeScript or JavaScript file (or a third-party npm package dependency) containing a malicious JSDoc tooltip with an embedded active command link. When a developer hovers over the target symbol to render the tooltip and clicks the malicious link, the IDE executes the command sequence directly on the developer\u0027s host machine. Prior to 21.2.4,  This vulnerability is fixed in 21.2.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:20:39.800Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-q94j-3wj3-4xcm"
            }
          ],
          "source": {
            "advisory": "GHSA-q94j-3wj3-4xcm",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Remote Code Execution via JSDoc Hover Command Injection in VS Code Angular Language Service Extension"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50178",
        "datePublished": "2026-06-22T15:20:39.800Z",
        "dateReserved": "2026-06-03T22:05:13.644Z",
        "dateUpdated": "2026-06-22T16:04:50.886Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49241 (GCVE-0-2026-49241)

    Vulnerability from nvd – Published: 2026-06-22 15:16 – Updated: 2026-06-23 13:42
    VLAI
    Title
    Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension
    Summary
    The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-427 - Uncontrolled Search Path Element
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: < 21.2.4
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:42:16.744796Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:42:26.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 21.2.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. Prior to 21.2.4, the client-side Angular Language Service VS Code extension reads the custom TypeScript SDK paths typescript.tsdk and js/ts.tsdk.path directly from workspace configurations (.vscode/settings.json) without verifying VS Code Workspace Trust state or asking for user consent (located in client/src/client.ts). The client-side extension then passes the parsed settings path as a command-line argument (--tsdk) to the background Node.js language server process. During server initialization, the background language server resolves and dynamically imports (via standard Node.js require()) the module library tsserverlibrary.js relative to the workspace-specified custom directory path. An attacker can exploit this behavior by committing a repository containing a local malicious tsserverlibrary.js script inside a custom folder, and a crafted .vscode/settings.json file pointing to that folder. When a developer opens the repository folder in VS Code, the extension automatically attempts to initialize and load the server, which dynamically resolves, loads, and executes the malicious script silently in the background. This vulnerability is fixed in 21.2.4."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-427",
                  "description": "CWE-427: Uncontrolled Search Path Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "CWE-494: Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:16:14.945Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-ccq4-xmxr-8hcq",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-ccq4-xmxr-8hcq"
            },
            {
              "name": "https://github.com/angular/angular/pull/68857",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68857"
            },
            {
              "name": "https://github.com/angular/angular/pull/68886",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68886"
            }
          ],
          "source": {
            "advisory": "GHSA-ccq4-xmxr-8hcq",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Multiple Remote Code Execution Vulnerabilities in Angular Language Service VS Code Extension"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-49241",
        "datePublished": "2026-06-22T15:16:14.945Z",
        "dateReserved": "2026-05-28T14:33:01.177Z",
        "dateUpdated": "2026-06-23T13:42:26.808Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50171 (GCVE-0-2026-50171)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:49 – Updated: 2026-06-23 16:02
    VLAI
    Title
    Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-834 - Excessive Iteration
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50171",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:16:53.849153Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T16:02:07.902Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a Denial of Service (DoS) vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum fraction digits parsed from the digitsInfo string (e.g., 1.2-4) are converted to integers and used without limits. When parsing a maliciously crafted digitsInfo string with excessively large fraction digit values (e.g., 1.200000000-200000000), the internal roundNumber function attempts to pad the digits array to match the requested fraction size. This results in an unbounded loop that repeatedly pushes elements into an array.  This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-834",
                  "description": "CWE-834: Excessive Iteration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:49:51.774Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-p3vc-36g9-x9gr"
            }
          ],
          "source": {
            "advisory": "GHSA-p3vc-36g9-x9gr",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50171",
        "datePublished": "2026-06-22T15:49:51.774Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-23T16:02:07.902Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50184 (GCVE-0-2026-50184)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:42 – Updated: 2026-06-23 13:48
    VLAI
    Title
    Angular: Request Credential & Cache Policy Stripping in Angular Service Worker
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: 'omit') and the HTTP cache mode configuration (such as cache: 'no-store'). These are reverted back to standard browser-default parameters (credentials: 'same-origin' and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker's engine, making private page states accessible or persistent inside the client's local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50184",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:48:06.163682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:48:24.684Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips explicit client-defined safety parameters: the credentials configuration (such as credentials: \u0027omit\u0027) and the HTTP cache mode configuration (such as cache: \u0027no-store\u0027). These are reverted back to standard browser-default parameters (credentials: \u0027same-origin\u0027 and default HTTP cache properties). This causes the browser to include active credentials (such as cookies or Authorization headers) on outbound requests where the client-side developer explicitly instructed they should be omitted, leading to potential session leaks. Additionally, it causes private or non-cacheable resources to be cached by the service worker\u0027s engine, making private page states accessible or persistent inside the client\u0027s local cache post-logout. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:50:48.049Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-95qp-cmmw-mgqv"
            },
            {
              "name": "https://github.com/angular/angular/pull/68904",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68904"
            }
          ],
          "source": {
            "advisory": "GHSA-95qp-cmmw-mgqv",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Request Credential \u0026 Cache Policy Stripping in Angular Service Worker"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50184",
        "datePublished": "2026-06-22T15:42:05.167Z",
        "dateReserved": "2026-06-03T22:05:13.644Z",
        "dateUpdated": "2026-06-23T13:48:24.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50169 (GCVE-0-2026-50169)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:41 – Updated: 2026-06-22 17:32
    VLAI
    Title
    Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: 'error'), falling back to the browser's default 'follow' strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary ("Confused Deputy") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50169",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:32:21.478134Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:32:36.408Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15 20.3.22, and 19.2.23, an issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During this reconstruction process, the helper function strips the strict, client-defined request redirect policy configuration (such as redirect: \u0027error\u0027), falling back to the browser\u0027s default \u0027follow\u0027 strategy. If the target web application makes client-side requests with a strict policy (e.g., expecting a network error instead of automatically following redirects), the service worker will bypass this instruction and automatically follow HTTP 3xx redirects to other destinations. This acts as an unintended proxy/intermediary (\"Confused Deputy\") and can result in cookie/credential exposure or same-origin session-restricted data leakage if public dynamic routes redirect to sensitive routes. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:46:26.364Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-gv2q-mqqv-365m"
            },
            {
              "name": "https://github.com/angular/angular/pull/67494",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/67494"
            }
          ],
          "source": {
            "advisory": "GHSA-gv2q-mqqv-365m",
            "discovery": "UNKNOWN"
          },
          "title": "Angular Service Worker Policy-Bypass \u0026 Credential-Stripping Vulnerabilities"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50169",
        "datePublished": "2026-06-22T15:41:17.125Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-22T17:32:36.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-46417 (GCVE-0-2026-46417)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:40 – Updated: 2026-06-30 03:15
    VLAI
    Title
    Angular: SSRF via Hostname Hijacking in @angular/platform-server
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-next.12
    Affected: >= 21.0.0-next.0, < 21.2.13
    Affected: >= 20.0.0-next.0, < 20.3.21
    Affected: >= 19.0.0-next.0, < 19.2.22
    Affected: <= 18.2.14
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-46417",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T14:16:15.745160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T14:18:28.135Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T15:40:32.527Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T03:15:36.788Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-46417"
              },
              {
                "name": "RHBZ#2491444",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491444"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46417.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T18:01:21.611Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T15:40:32.527Z",
                "value": "Made public."
              }
            ],
            "title": "@angular/platform-server: Angular: SSRF via Hostname Hijacking in @angular/platform-server",
            "workarounds": [
              {
                "lang": "en",
                "value": "To mitigate this vulnerability, implement strict URL validation within the server entry point of applications utilizing `@angular/platform-server`. Developers should ensure that the `req.url` is validated against a predefined list of trusted hostnames or normalized to a relative path before being passed to `renderApplication` or `renderModule`. This prevents the server-side rendering engine from being manipulated by attacker-controlled domains."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-next.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.21"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.22"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the \"current\" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:48:53.298Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v"
            },
            {
              "name": "https://github.com/angular/angular/pull/68570",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68570"
            }
          ],
          "source": {
            "advisory": "GHSA-rfh7-fxqc-q52v",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: SSRF via Hostname Hijacking in @angular/platform-server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-46417",
        "datePublished": "2026-06-22T15:40:32.527Z",
        "dateReserved": "2026-05-13T21:04:10.933Z",
        "dateUpdated": "2026-06-30T03:15:36.788Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50168 (GCVE-0-2026-50168)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:39 – Updated: 2026-06-22 17:59
    VLAI
    Title
    Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node's strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino's internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50168",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:59:41.275571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:59:49.283Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used to initialize the server emulated DOM. When a server-side request contains a malformed URL with a double port structure (e.g., http://evil.com:80:80/path), Node\u0027s strict URL.canParse(url) logic returns false and skips host check validation entirely. However, the same malformed URL is later accepted and parsed leniently by Domino\u0027s internal parser, which resolves the origin to http://evil.com:80. The Angular SSR HTTP request interceptor (relativeUrlsTransformerInterceptorFn) then resolves all relative backend HTTP requests against this adopted origin, executing the SSRF attack. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:47:10.871Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-xrxm-cp7j-8xf6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-xrxm-cp7j-8xf6"
            },
            {
              "name": "https://github.com/angular/angular/pull/68928",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/68928"
            }
          ],
          "source": {
            "advisory": "GHSA-xrxm-cp7j-8xf6",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: URL Parser Differential in @angular/platform-server leading to SSRF Allowlist Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50168",
        "datePublished": "2026-06-22T15:39:46.193Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-22T17:59:49.283Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50170 (GCVE-0-2026-50170)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:39 – Updated: 2026-06-23 16:00
    VLAI
    Title
    Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user's private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-524 - Use of Cache Containing Sensitive Information
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.15
    Affected: >= 20.0.0-next.0, < 20.3.22
    Affected: >= 19.0.0-next.0, < 19.2.23
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50170",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T16:00:13.983210Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T16:00:21.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.22"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.23"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability was discovered in @angular/common when Server-Side Rendering (SSR) and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState. However, the caching mechanism fails to inspect the withCredentials flag or the Cookie header of outgoing requests. As a result, credentialed, user-specific responses may be cached by default in the shared TransferState payload. When these responses are serialized into the HTML, any caching layer (such as a CDN, reverse proxy, or shared server cache) that caches the SSR-rendered HTML page could inadvertently cache and leak one user\u0027s private data to other users, leading to a high-severity information disclosure vulnerability. This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-524",
                  "description": "CWE-524: Use of Cache Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T16:01:17.572Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-q6f4-qqrg-jv6x"
            },
            {
              "name": "https://github.com/angular/angular/pull/67964",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/67964"
            }
          ],
          "source": {
            "advisory": "GHSA-q6f4-qqrg-jv6x",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50170",
        "datePublished": "2026-06-22T15:39:08.877Z",
        "dateReserved": "2026-06-03T20:54:20.433Z",
        "dateUpdated": "2026-06-23T16:00:21.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50556 (GCVE-0-2026-50556)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:38 – Updated: 2026-07-03 12:04
    VLAI
    Title
    Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.16
    Affected: >= 20.0.0-next.0, < 20.3.24
    Affected: >= 19.0.0-next.0, < 19.2.25
    Affected: <= 18.2.14
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50556",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T21:14:35.418340Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T21:17:45.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:jboss_fuse:7"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Fuse 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-06-22T15:38:28.166Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in @angular/platform-server. This Cross-Site Scripting (XSS) vulnerability exists in its DOM emulation dependency, domino, when handling the content of `\u003cnoscript\u003e` elements during server-side rendering. A remote attacker could exploit this by injecting unescaped closing `\u003c/noscript\u003e` tags within dynamic text content. This allows for the execution of arbitrary code in the user\u0027s browser context, potentially leading to information disclosure or other malicious activities."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-03T12:04:57.639Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-50556"
              },
              {
                "name": "RHBZ#2491459",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491459"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50556.json"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-06-22T18:02:18.131Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-06-22T15:38:28.166Z",
                "value": "Made public."
              }
            ],
            "title": "@angular/platform-server: domino: Angular Platform Server: Cross-Site Scripting via unescaped `\u003c/noscript\u003e` tags in dynamic content",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.24"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server\u0027s DOM emulation dependency (domino) when serializing the content of \u003cnoscript\u003e elements. When rendering dynamic text content inside a \u003cnoscript\u003e element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning \u003cnoscript\u003e is treated as a raw-text element. However, domino\u0027s serializer completely omitted \u003cnoscript\u003e from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of \u003c/noscript\u003e in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. \u003cnoscript\u003e\u003c/noscript\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/noscript\u003e). When parsed by a browser, it closes the \u003cnoscript\u003e block early, allowing the injected \u003cscript\u003e block to execute in the user\u0027s browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:38:28.166Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx"
            },
            {
              "name": "https://github.com/angular/angular/issues/68903",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/issues/68903"
            },
            {
              "name": "https://github.com/angular/domino/pull/29",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/domino/pull/29"
            }
          ],
          "source": {
            "advisory": "GHSA-gxx4-3xcv-f8qx",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Missing `\u003cnoscript\u003e` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50556",
        "datePublished": "2026-06-22T15:38:28.166Z",
        "dateReserved": "2026-06-04T21:34:34.426Z",
        "dateUpdated": "2026-07-03T12:04:57.639Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-50555 (GCVE-0-2026-50555)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:37 – Updated: 2026-06-22 17:58
    VLAI
    Title
    Angular: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in @angular/platform-server
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of raw-text elements (such as <script>, <style>, and <iframe>). domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters—such as emojis—occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. </script>, </style>, or </iframe>), the index offset calculation in domino's replacement logic shifted. This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., 😀</iframe><script>alert(1)</script>). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent <script> block, leading to same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0, < 22.0.0-rc.2
    Affected: >= 21.0.0-next.0, < 21.2.16
    Affected: >= 20.0.0-next.0, < 20.3.24
    Affected: >= 19.0.0-next.0, < 19.2.25
    Affected: <= 18.2.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-50555",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:56:51.469447Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:58:33.065Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0, \u003c 22.0.0-rc.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0, \u003c 21.2.16"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0, \u003c 20.3.24"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-next.0, \u003c 19.2.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 18.2.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server\u0027s DOM emulation dependency (domino) when serializing the content of raw-text elements (such as \u003cscript\u003e, \u003cstyle\u003e, and \u003ciframe\u003e). domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral characters\u2014such as emojis\u2014occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. \u003c/script\u003e, \u003c/style\u003e, or \u003c/iframe\u003e), the index offset calculation in domino\u0027s replacement logic shifted. This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., \ud83d\ude00\u003c/iframe\u003e\u003cscript\u003ealert(1)\u003c/script\u003e). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent \u003cscript\u003e block, leading to same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:37:29.943Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-hqr9-c56f-3x7f"
            },
            {
              "name": "https://github.com/angular/domino/pull/29",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/domino/pull/29"
            }
          ],
          "source": {
            "advisory": "GHSA-hqr9-c56f-3x7f",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) in @angular/platform-server"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-50555",
        "datePublished": "2026-06-22T15:37:29.943Z",
        "dateReserved": "2026-06-04T21:34:34.425Z",
        "dateUpdated": "2026-06-22T17:58:33.065Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54264 (GCVE-0-2026-54264)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:32 – Updated: 2026-06-23 13:46
    VLAI
    Title
    Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54264",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T13:46:15.588316Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T13:46:25.169Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an information disclosure vulnerability exists in the @angular/service-worker package of the Angular framework. When the Service Worker fetches assets, it preserves metadata (such as headers) from the original request. However, on cross-origin redirects, the Service Worker fails to strip sensitive headers, violating the Fetch redirect algorithm. This allows a remote attacker to obtain sensitive credentials (e.g., Authorization tokens, Proxy-Authorization credentials, or session cookies) by triggering a cross-origin redirect to an untrusted external origin. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-359",
                  "description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:32:48.163Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-qxh6-94w6-9r5p"
            },
            {
              "name": "https://github.com/angular/angular/pull/69029",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69029"
            },
            {
              "name": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/47d68dcb26266316647133ab6385e77fc3e5ae08"
            }
          ],
          "source": {
            "advisory": "GHSA-qxh6-94w6-9r5p",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54264",
        "datePublished": "2026-06-22T15:32:48.163Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-23T13:46:25.169Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54268 (GCVE-0-2026-54268)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:31 – Updated: 2026-06-23 16:09
    VLAI
    Title
    Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-1333 - Inefficient Regular Expression Complexity
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54268",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-23T16:07:25.833697Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-23T16:09:21.239Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, a Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, excessively long date format string (e.g., a repeating pattern or very large string), the internal parser splits the string iteratively using a regular expression loop. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations), leading to a Denial of Service (DoS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1333",
                  "description": "CWE-1333: Inefficient Regular Expression Complexity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:31:47.836Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-48r7-hpm6-gfxm"
            },
            {
              "name": "https://github.com/angular/angular/pull/69197",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69197"
            },
            {
              "name": "https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/eeb03f4ea310e2e51ba5d53a421ec7b418e186cd"
            }
          ],
          "source": {
            "advisory": "GHSA-48r7-hpm6-gfxm",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Denial of Service (DoS) via OOM in Date Formatting (formatDate)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54268",
        "datePublished": "2026-06-22T15:31:47.836Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-23T16:09:21.239Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54267 (GCVE-0-2026-54267)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:30 – Updated: 2026-06-22 16:00
    VLAI
    Title
    Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    • CWE-471 - Modification of Assumed-Immutable Data (MAID)
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54267",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T16:00:23.479828Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T16:00:36.910Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application\u0027s runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a \u003cscript\u003e tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById(\u0027ng-state\u0027) and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., \u003cdiv [id]=\"userInput\"\u003e or \u003ca id=\"ng-state\"\u003e) before the genuine \u003cscript\u003e tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById(\u0027ng-state\u0027), the browser returns the attacker\u0027s clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-471",
                  "description": "CWE-471: Modification of Assumed-Immutable Data (MAID)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:30:48.699Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg"
            },
            {
              "name": "https://github.com/angular/angular/pull/69064",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69064"
            },
            {
              "name": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa"
            }
          ],
          "source": {
            "advisory": "GHSA-rgjc-h3x7-9mwg",
            "discovery": "UNKNOWN"
          },
          "title": "Angular Client Hydration DOM Clobbering \u0026 Response-Cache Poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54267",
        "datePublished": "2026-06-22T15:30:48.699Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-22T16:00:36.910Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54266 (GCVE-0-2026-54266)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:28 – Updated: 2026-06-22 17:56
    VLAI
    Title
    Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-328 - Use of Weak Hash
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54266",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T17:55:58.476641Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T17:56:12.976Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular\u0027s HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "CWE-328: Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:28:42.561Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-39pv-4j6c-2g6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-39pv-4j6c-2g6v"
            },
            {
              "name": "https://github.com/angular/angular/pull/69153",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69153"
            },
            {
              "name": "https://github.com/angular/angular/commit/5f36274da3f961430ae72865159afa02a1dd9133",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/5f36274da3f961430ae72865159afa02a1dd9133"
            }
          ],
          "source": {
            "advisory": "GHSA-39pv-4j6c-2g6v",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54266",
        "datePublished": "2026-06-22T15:28:42.561Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-22T17:56:12.976Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-54265 (GCVE-0-2026-54265)

    Vulnerability from cvelistv5 – Published: 2026-06-22 15:27 – Updated: 2026-06-22 15:54
    VLAI
    Title
    Angular: Two-Way Property Binding Sanitization Bypass (XSS)
    Summary
    Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    angular angular Affected: >= 22.0.0-next.0 < 22.0.1
    Affected: >= 21.0.0-next.0 < 21.2.17
    Affected: >= 20.0.0-next.0 < 20.3.25
    Affected: <= 19.2.25
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54265",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-22T15:54:52.170678Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-22T15:54:58.231Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "angular",
              "vendor": "angular",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
                },
                {
                  "status": "affected",
                  "version": "\u003c= 19.2.25"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]=\"value\" or bindon-innerHTML=\"value\"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular\u0027s built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-22T15:27:38.802Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5"
            },
            {
              "name": "https://github.com/angular/angular/pull/69107",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/pull/69107"
            },
            {
              "name": "https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4"
            }
          ],
          "source": {
            "advisory": "GHSA-58w9-8g37-x9v5",
            "discovery": "UNKNOWN"
          },
          "title": "Angular: Two-Way Property Binding Sanitization Bypass (XSS)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-54265",
        "datePublished": "2026-06-22T15:27:38.802Z",
        "dateReserved": "2026-06-12T17:13:32.279Z",
        "dateUpdated": "2026-06-22T15:54:58.231Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }