CVE-2026-50555
Undergoing Analysis Undergoing Analysis - In Progress
Cross-Site Scripting in Angular Platform Server

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of raw-text elements (such as <script>, <style>, and <iframe>). domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral charactersβ€”such as emojisβ€”occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. </script>, </style>, or </iframe>), the index offset calculation in domino's replacement logic shifted. This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., πŸ˜€</iframe><script>alert(1)</script>). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent <script> block, leading to same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-50555
EUVD
EUVD-2026-38289
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
angular platform-server to 22.0.0-rc.2 (exc)
angular platform-server to 21.2.16 (exc)
angular platform-server to 20.3.24 (exc)
angular platform-server to 19.2.25 (exc)
angular angular to 22.0.0-rc.2 (exc)
angular angular to 21.2.16 (exc)
angular angular to 20.3.24 (exc)
angular angular to 19.2.25 (exc)
angular angular to 18.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50555 is a Cross-Site Scripting (XSS) vulnerability in Angular's server-side rendering (SSR) process, specifically in the domino library used for DOM emulation. The issue arises from a Unicode index alignment bug when serializing raw-text elements like <script>, <style>, and <iframe>. Astral Unicode characters (such as emojis) occupy two UTF-16 code units, which causes the escaping logic to miscalculate the position of closing tags. This misalignment prevents proper escaping of closing tags, allowing an attacker who controls dynamic text to inject malicious scripts that execute when the page is rendered on the server.

Impact Analysis

This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks by injecting malicious JavaScript payloads into server-rendered pages. The impact includes potential session hijacking, credential theft, unauthorized actions on behalf of the user, and defacement of the web application. Since the attack occurs during server-side rendering, it can affect all users viewing the compromised content.

Detection Guidance

Detection of this vulnerability involves identifying if your Angular server-side rendering (SSR) environment uses affected versions of the @angular/platform-server package or the domino library with the Unicode index alignment bug.

You can check the installed Angular platform-server version by running commands like:

  • npm list @angular/platform-server
  • npm ls domino

Additionally, scanning your server-rendered HTML output for unescaped closing tags within raw-text elements (such as <script>, <style>, or <iframe>) especially following astral Unicode characters (e.g., emojis) can help detect exploitation attempts.

Network detection might include monitoring for payloads containing astral Unicode characters followed by closing tags and script injections, for example strings like πŸ˜€</iframe><script>alert(1)</script> in HTTP requests or logs.

Mitigation Strategies

Immediate mitigation steps include upgrading the @angular/platform-server package to one of the patched versions: 19.2.25, 20.3.24, 21.2.16, or 22.0.0-rc.2 or later.

If upgrading is not immediately possible, avoid binding user-controlled data inside raw-text elements such as <script>, <style>, or <iframe> during server-side rendering.

Sanitize or strip any user input that may contain closing tags or astral Unicode characters before rendering to prevent the misalignment bug from being exploited.

Review your server-side rendering logic and dependencies to ensure the domino library is updated to a version that includes the fix merged in May 2026.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart