Vulnerability Directory | CVE-2026-50557

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Cross-Site Scripting (XSS) vulnerability (CVE-2026-50557) has been identified in Angular's Template Compiler and Core, which allows attackers to bypass element and attribute sanitization through namespaced elements and can lead to arbitrary JavaScript execution within the context of the victim's browser session.

Per OWASP, this vulnerability falls under Stored Cross-Site Scripting. Stored XSS occurs when an application stores untrusted input and later renders it without proper neutralization. In this case, the injected payload may execute when a user interacts with the affected element or automatically when an animation is triggered.

This issue affects multiple versions of Angular.

‍

Details

Module Info

Product: Angular
Affected packages: @angular/compiler, @angular/core
Affected versions:
- <=18.2.14
- >=19.0.0-next.0 <19.2.23
- >=20.0.0-next.0 <20.3.22
- >=21.0.0-next.0 <21.2.15
- >=22.0.0-next.0 <22.0.0-rc.2
GitHub repository: https://github.com/angular/angular
Published packages:
- https://www.npmjs.com/package/@angular/compiler
- https://www.npmjs.com/package/@angular/core
Package manager: npm
Fixed in:
- OSS Angular v19.2.23, v20.3.22, v21.2.15 and v22.0.0-rc.2

Vulnerability Info

This Medium-severity vulnerability is found in the @angular/compiler and @angular/core packages in multiple published versions of Angular.

Angular's template preparser is responsible for identifying and stripping <script> elements during template compilation, and its sanitizers validate element attributes against an internal security context schema. However, the preparser does not recognize namespaced script elements such as <svg:script> or <:svg:script> as script elements, so they pass through compilation without being stripped.

In addition, the security context schema that maps element attributes to their required sanitization does not consistently account for attributes on namespaced elements such as SVG and MathML. This leaves gaps in which malicious attributes on namespaced elements bypass both the compile-time and runtime sanitizers.

Together, these gaps allow an attacker who can inject or supply a template or tag structure that uses custom namespaces to evade Angular's script-stripping logic and attribute sanitizers, for example by supplying a svg:script element or namespaced attribute bindings. The result is client-side XSS that executes arbitrary JavaScript in the browser of any user who renders the affected template.

This vulnerability affects any Angular application that compiles user-controlled templates at runtime, or that relies on the sanitization of namespaced elements and attributes. Successful exploitation results in arbitrary JavaScript execution within the victim's browser session, which can lead to:

Session hijacking: Stealing session cookies, localStorage data, or authentication tokens.
Sensitive data exposure: Reading sensitive information displayed within or accessible to the application, such as personal data shown on the page.
Unauthorized actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

‍

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations: