CVE-2026-50557
Analyzed Analyzed - Analysis Complete

XSS Bypass in Angular Framework

Vulnerability report for CVE-2026-50557, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-07-09

Assigner: GitHub, Inc.

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-07-09
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 19 associated CPEs
Vendor Product Version / Range
angular angular to 18.2.14 (inc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 20.0.0 (inc) to 20.3.22 (exc)
angular angular From 21.0.0 (inc) to 21.2.15 (exc)
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular 22.0.0
angular angular From 19.0.0 (inc) to 19.2.22 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves bypassing Angular's sanitization of namespaced script elements and attributes, which can lead to client-side Cross-Site Scripting (XSS). Detection involves identifying if your Angular application uses vulnerable versions and if templates include suspicious namespaced script elements or attributes that could bypass sanitization.

To detect this vulnerability on your system, first verify the Angular version in use. Vulnerable versions are prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22.

You can check the Angular version in your project by running the following command in your project directory:

  • npm list @angular/core

To detect potentially malicious templates or payloads that exploit this vulnerability, you can search your codebase or deployed templates for namespaced script elements such as `<svg:script>` or `<:svg:script>` using commands like:

  • grep -r '<svg:script>' ./
  • grep -r '<:svg:script>' ./

Additionally, monitor network traffic or logs for suspicious payloads containing these namespaced elements or attributes that could bypass sanitization.

Note that detection of exploitation attempts may require custom scanning or instrumentation since the vulnerability is related to Angular's internal template compilation and sanitization logic.

Executive Summary

CVE-2026-50557 is a security vulnerability in Angular's @angular/compiler and @angular/core packages that allows attackers to bypass element and attribute sanitization through manipulation of XML namespaces in templates.

Specifically, namespaced script elements such as <svg:script> or <:svg:script> were not properly recognized as script elements by Angular's template preparser, allowing them to pass through compilation without being stripped out.

Additionally, security context schema mappings for attributes within namespaced elements like SVG and MathML were inconsistently handled, creating gaps where malicious namespaced attributes could bypass both runtime and compile-time sanitizers.

Together, these flaws enable an attacker who can inject or supply templates with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS) vulnerabilities.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a victim's browser by injecting malicious templates or tags with custom namespaces.

Successful exploitation can lead to client-side Cross-Site Scripting (XSS) attacks, which may result in session hijacking, theft of sensitive data, unauthorized actions on behalf of the user, or other malicious activities.

The attack requires the ability to supply or inject template/tag structures with custom namespaces and the absence of additional sanitization measures.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Angular to one of the fixed versions: 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.22.

These versions include fixes that properly identify and strip namespaced <script> elements during template compilation, preventing them from bypassing sanitization.

Additionally, the fixes correct security context mappings for attributes in namespaced elements like SVG and MathML, ensuring runtime and compile-time sanitizers properly handle these cases.

Ensure that your application does not accept or render user-controlled templates or tags with custom namespaces without proper sanitization.

Compliance Impact

This vulnerability enables client-side Cross-Site Scripting (XSS) attacks by bypassing Angular's element and attribute sanitization mechanisms. Successful exploitation can lead to arbitrary JavaScript execution in the victim's browser, potentially resulting in session hijacking, data theft, or unauthorized actions.

Such security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or data breaches.

Therefore, applications using vulnerable Angular versions without additional sanitization or mitigations may fail to meet these regulatory requirements due to the increased risk of data exposure or compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart