CVE-2026-11998
Received Received - Intake
AngularJS SCE Policy Bypass Leads to XSS

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: HeroDevs

Description
A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session. SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs. This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see theΒ  End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-11998
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
angularjs angularjs From 1.2.0-rc.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-791 The product receives data from an upstream component, but does not completely filter special elements before sending it to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a flaw in AngularJS's Strict Contextual Escaping (SCE) logic that allows bypassing certain SCE policies for resource URLs.

SCE is designed to ensure that only trusted or safe values are used in security-sensitive contexts such as resource URLs, including executable JavaScript scripts, iframe documents, and route templates.

The flaw arises because the logic that matches entire URLs against regular expression matchers can result in partial matches for some regular expressions, effectively bypassing the policies and allowing unsafe values to be used as resource URLs.

This can lead to arbitrary JavaScript execution within the context of the victim's browser session.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code within the victim's browser session.

Such arbitrary code execution can lead to a range of impacts including theft of sensitive information, session hijacking, and potentially further attacks on the victim's system or network.

Because the vulnerability allows bypassing security policies intended to restrict resource URLs, it undermines the security model of applications using AngularJS versions affected by this flaw.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11998. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart