Vulnerability in AngularJS Affects Resource URL Security Policies
CVE-2026-11998

7.6HIGH

Key Information:

Vendor

Google

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-11998?

A significant flaw exists in the Strict Contextual Escaping (SCE) logic of AngularJS, which enables the circumvention of essential SCE policies designed to safeguard resource URLs. This vulnerability may permit arbitrary JavaScript execution in the victim's browser session. The SCE mechanism aims to restrict the use of unsafe values in security-sensitive contexts, allowing only safe, trusted resources. However, a logic error in matching URLs against regular expressions leads to partial matches that circumvent these protections. As a result, attackers could manipulate resource URLs to execute unauthorized scripts. Given that the AngularJS framework has reached its End-of-Life status, no updates will be provided to mitigate this vulnerability.

Affected Version(s)

AngularJS >=1.2.0-rc.3

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.