CVE-2026-50557
Received Received - Intake
XSS Bypass in Angular Framework

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-50557
EUVD
EUVD-2026-38257
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
angular angular to 22.0.0-rc.2|end_including=22.0.0-rc.2 (exc)
angular angular to 21.2.15 (exc)
angular angular to 20.3.22 (exc)
angular angular to 19.2.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability enables client-side Cross-Site Scripting (XSS) attacks by bypassing Angular's element and attribute sanitization mechanisms. Successful exploitation can lead to arbitrary JavaScript execution in the victim's browser, potentially resulting in session hijacking, data theft, or unauthorized actions.

Such security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access or data breaches.

Therefore, applications using vulnerable Angular versions without additional sanitization or mitigations may fail to meet these regulatory requirements due to the increased risk of data exposure or compromise.

Executive Summary

CVE-2026-50557 is a security vulnerability in Angular's @angular/compiler and @angular/core packages that allows attackers to bypass element and attribute sanitization through manipulation of XML namespaces in templates.

Specifically, namespaced script elements such as <svg:script> or <:svg:script> were not properly recognized as script elements by Angular's template preparser, allowing them to pass through compilation without being stripped out.

Additionally, security context schema mappings for attributes within namespaced elements like SVG and MathML were inconsistently handled, creating gaps where malicious namespaced attributes could bypass both runtime and compile-time sanitizers.

Together, these flaws enable an attacker who can inject or supply templates with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS) vulnerabilities.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a victim's browser by injecting malicious templates or tags with custom namespaces.

Successful exploitation can lead to client-side Cross-Site Scripting (XSS) attacks, which may result in session hijacking, theft of sensitive data, unauthorized actions on behalf of the user, or other malicious activities.

The attack requires the ability to supply or inject template/tag structures with custom namespaces and the absence of additional sanitization measures.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Angular to one of the fixed versions: 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.22.

These versions include fixes that properly identify and strip namespaced <script> elements during template compilation, preventing them from bypassing sanitization.

Additionally, the fixes correct security context mappings for attributes in namespaced elements like SVG and MathML, ensuring runtime and compile-time sanitizers properly handle these cases.

Ensure that your application does not accept or render user-controlled templates or tags with custom namespaces without proper sanitization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart