CVE-2026-50555
Analyzed Analyzed - Analysis Complete

Cross-Site Scripting in Angular Platform Server

Vulnerability report for CVE-2026-50555, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of raw-text elements (such as <script>, <style>, and <iframe>). domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode index alignment bug existed in this escaping logic. In JavaScript, string lengths and character indices are calculated based on UTF-16 code units (where astral charactersβ€”such as emojisβ€”occupy 2 code units / 4 bytes). If the bound dynamic text contained astral Unicode characters before the closing tag (e.g. </script>, </style>, or </iframe>), the index offset calculation in domino's replacement logic shifted. This misalignment caused domino to fail to replace or escape the closing tag, leaving it raw and unescaped in the output HTML. An attacker who controls the dynamic text can supply a payload containing both an astral Unicode character and a closing tag (e.g., πŸ˜€</iframe><script>alert(1)</script>). When serialized on the server during SSR, the browser parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent <script> block, leading to same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 19 associated CPEs
Vendor Product Version / Range
angular angular to 18.2.14 (inc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 19.0.0 (inc) to 19.2.25 (exc)
angular angular From 20.0.0 (inc) to 20.3.24 (exc)
angular angular From 21.0.0 (inc) to 21.2.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-50555 is a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary JavaScript in the context of the affected Angular server-side rendered applications. Such XSS vulnerabilities can lead to session hijacking, credential theft, unauthorized actions, or defacement.

From a compliance perspective, this vulnerability can impact adherence to common standards and regulations like GDPR and HIPAA because it compromises the confidentiality and integrity of user data. Exploitation of this vulnerability could result in unauthorized access to personal or sensitive information, which is a violation of data protection requirements.

Organizations using affected Angular versions without applying patches or mitigations may face increased risk of data breaches and non-compliance with security controls mandated by these regulations.

Executive Summary

CVE-2026-50555 is a Cross-Site Scripting (XSS) vulnerability in Angular's server-side rendering (SSR) process, specifically in the domino library used for DOM emulation. The issue arises from a Unicode index alignment bug when serializing raw-text elements like <script>, <style>, and <iframe>. Astral Unicode characters (such as emojis) occupy two UTF-16 code units, which causes the escaping logic to miscalculate the position of closing tags. This misalignment prevents proper escaping of closing tags, allowing an attacker who controls dynamic text to inject malicious scripts that execute when the page is rendered on the server.

Impact Analysis

This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks by injecting malicious JavaScript payloads into server-rendered pages. The impact includes potential session hijacking, credential theft, unauthorized actions on behalf of the user, and defacement of the web application. Since the attack occurs during server-side rendering, it can affect all users viewing the compromised content.

Detection Guidance

Detection of this vulnerability involves identifying if your Angular server-side rendering (SSR) environment uses affected versions of the @angular/platform-server package or the domino library with the Unicode index alignment bug.

You can check the installed Angular platform-server version by running commands like:

  • npm list @angular/platform-server
  • npm ls domino

Additionally, scanning your server-rendered HTML output for unescaped closing tags within raw-text elements (such as <script>, <style>, or <iframe>) especially following astral Unicode characters (e.g., emojis) can help detect exploitation attempts.

Network detection might include monitoring for payloads containing astral Unicode characters followed by closing tags and script injections, for example strings like πŸ˜€</iframe><script>alert(1)</script> in HTTP requests or logs.

Mitigation Strategies

Immediate mitigation steps include upgrading the @angular/platform-server package to one of the patched versions: 19.2.25, 20.3.24, 21.2.16, or 22.0.0-rc.2 or later.

If upgrading is not immediately possible, avoid binding user-controlled data inside raw-text elements such as <script>, <style>, or <iframe> during server-side rendering.

Sanitize or strip any user input that may contain closing tags or astral Unicode characters before rendering to prevent the misalignment bug from being exploited.

Review your server-side rendering logic and dependencies to ensure the domino library is updated to a version that includes the fix merged in May 2026.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart