Vulnerability in AngularJS Affects Resource URL Security Policies
CVE-2026-11998
What is CVE-2026-11998?
A significant flaw exists in the Strict Contextual Escaping (SCE) logic of AngularJS, which enables the circumvention of essential SCE policies designed to safeguard resource URLs. This vulnerability may permit arbitrary JavaScript execution in the victim's browser session. The SCE mechanism aims to restrict the use of unsafe values in security-sensitive contexts, allowing only safe, trusted resources. However, a logic error in matching URLs against regular expressions leads to partial matches that circumvent these protections. As a result, attackers could manipulate resource URLs to execute unauthorized scripts. Given that the AngularJS framework has reached its End-of-Life status, no updates will be provided to mitigate this vulnerability.
Affected Version(s)
AngularJS >=1.2.0-rc.3