Cross-Site Scripting Vulnerability in Angular's Server-Side Rendering
CVE-2026-50555

8.6HIGH

Key Information:

Vendor: Angular
Status: Angular
Vendor: CVE Published:; 22 June 2026

What is CVE-2026-50555?

A Cross-Site Scripting (XSS) vulnerability exists in Angular's @angular/platform-server due to a Unicode index alignment issue in the domino library's serialization of raw-text elements. Prior to the specified versions, if an attacker can inject dynamic text containing astral Unicode characters followed by closing HTML tags, this can lead to a situation where these tags are not properly escaped. When processed on the server during server-side rendering (SSR), this results in the execution of malicious scripts, allowing an attacker to potentially carry out unauthorized actions within the same-origin context.

Affected Version(s)

angular >= 22.0.0-next.0, < 22.0.0-rc.2 < 22.0.0-next.0, 22.0.0-rc.2

angular >= 21.0.0-next.0, < 21.2.16 < 21.0.0-next.0, 21.2.16

angular >= 20.0.0-next.0, < 20.3.24 < 20.0.0-next.0, 20.3.24

References

https://github.com/angular/angular/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/angular/domino/pull/29

x_refsource_MISC

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-50555 Data

JSON