CVE-2026-50555

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Cross-Site Scripting (XSS) vulnerability (CVE-2026-50555) has been identified in Angular's Platform Server, which allows attackers to bypass the escaping of raw-text elements during Server-Side Rendering (SSR) and can lead to arbitrary JavaScript execution within the context of the victim's browser session.

Per OWASP, this vulnerability falls under Stored Cross-Site Scripting. Stored XSS occurs when an application stores untrusted input and later renders it without proper neutralization. In this case, the injected payload may execute when a user interacts with the affected element or automatically when an animation is triggered.

This issue affects multiple versions of Angular.

‍

Details

Module Info

• Product: Angular
• Affected packages: @angular/platform-server
• Affected versions:
  • <=18.2.14
  • >=19.0.0-next.0 <19.2.25
  • >=20.0.0-next.0 <20.3.24
  • >=21.0.0-next.0 <21.2.16
  • >=22.0.0-next.0 <22.0.0-rc.2
• GitHub repository: https://github.com/angular/angular
• Published packages: https://www.npmjs.com/package/@angular/platform-server
• Package manager: npm
• Fixed in:
  • OSS Angular v19.2.25, v20.3.24, v21.2.16 and v22.0.0-rc.2

Vulnerability Info

This High-severity vulnerability is found in the @angular/platform-server package in multiple published versions of Angular. The underlying defect is in domino, the DOM emulation dependency that Platform Server uses to serialize rendered HTML on the server.

When domino serializes the content of raw-text elements such as <script>, <style>, and <iframe>, it escapes any closing tag found inside the bound text to prevent an early breakout from the raw-text context. This escaping logic contains a Unicode index alignment bug. JavaScript measures string length and character positions in UTF-16 code units, and astral characters, such as emojis, occupy two code units rather than one. If bound dynamic text contains an astral character before a closing tag, the offset used by domino's replacement logic shifts, and the closing tag is left raw and unescaped in the serialized output.

An attacker who controls the dynamic text bound inside a raw-text element can therefore supply a value that combines an astral character with a closing tag, for example ð</iframe><script>alert(1)</script>. Because the closing tag is not escaped, the browser exits the raw-text context early when it parses the server-rendered page and executes the script that follows, producing same-origin Cross-Site Scripting against any user who visits the affected page.

This vulnerability allows an attacker to perform same-origin Cross-Site Scripting against any user who visits an SSR-rendered page that binds user-controlled data inside a raw-text element. Successful exploitation results in arbitrary JavaScript execution within the victim's browser session, which can lead to:

• Session hijacking: Stealing session cookies, localStorage data, or authentication tokens.
• Credential theft: Capturing user credentials entered into the compromised page.
• Unauthorized actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.
• Defacement: Altering the content rendered to the user.

‍

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

• Migrate affected applications to a patched version of Angular.
• Leverage a commercial support partner like HeroDevs for post-EOL security support.