CVE-2026-50556
Undergoing Analysis Undergoing Analysis - In Progress
XSS in Angular Platform Server DOM Emulation

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-50556
EUVD
EUVD-2026-38291
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
angular angular From 18.2.14 (inc) to 22.0.0-rc.2 (inc)
angular angular to 21.2.16 (inc)
angular angular to 20.3.24 (inc)
angular angular to 19.2.25 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows Cross-Site Scripting (XSS) attacks by injecting malicious scripts into the browser context, which can lead to session hijacking, credential theft, or unauthorized actions.

Such security issues can impact compliance with common standards and regulations like GDPR and HIPAA, as these require protection of user data and prevention of unauthorized access or data breaches.

Failure to mitigate this vulnerability could result in exposure of sensitive personal or health information, violating data protection requirements and potentially leading to legal and regulatory consequences.

Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in Angular's Server-Side Rendering (SSR) platform, specifically in the @angular/platform-server package's dependency called domino. When dynamic text content is rendered inside a <noscript> element using template bindings like {{ value }} or [textContent], domino fails to properly escape the closing </noscript> tag during HTML serialization.

Because domino treats <noscript> as a raw-text element but omits it from the list of elements requiring closing-tag escaping, an attacker can inject a </noscript> tag in the bound text. This prematurely closes the <noscript> block, allowing any subsequent injected <script> tags to execute in the user's browser context, leading to a same-origin XSS attack.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in the context of your web application by injecting malicious scripts through user-controlled data bound inside <noscript> elements during SSR.

The impact includes potential session hijacking, credential theft, unauthorized actions on behalf of the user, and other malicious activities that exploit the user's browser privileges within the same origin.

Detection Guidance

This vulnerability can be detected by inspecting server-side rendered HTML responses for unescaped </noscript> tags inside <noscript> elements, especially when dynamic text content is bound via Angular template bindings such as {{ value }} or [textContent].

One approach is to capture HTTP responses from your Angular SSR application and search for occurrences of </noscript> within <noscript> blocks that could indicate injection.

  • Use curl or wget to fetch the page content: curl -s https://your-angular-app.example.com/page > response.html
  • Use grep or similar tools to search for unescaped </noscript> tags inside <noscript> elements: grep -Poz '<noscript>.*?</noscript>' response.html | grep '</noscript>'
  • Manually review or automate scanning of the captured HTML for injected script tags following premature closing of <noscript> elements.
Mitigation Strategies

Immediate mitigation steps include upgrading Angular to a fixed version where this vulnerability is resolved, specifically versions 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25.

If upgrading is not immediately possible, avoid binding user-controlled or dynamic text content inside <noscript> elements in your Angular SSR application.

Alternatively, sanitize or strip any closing </noscript> tags from user input before rendering to prevent premature closing of <noscript> blocks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart