Cross-Site Scripting Vulnerability in Angular's Platform Server by Google
CVE-2026-50556

8.6HIGH

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-50556?

A Cross-Site Scripting (XSS) vulnerability exists in Angular's platform server caused by improper handling of elements during server-side rendering. The issue arises when dynamic text inside tags is serialized by the domino dependency. Due to incorrect escaping of these elements, it's possible for attackers to inject malicious scripts, leading to execution in the user's browser context. This vulnerability has been addressed in the latest releases of the affected Angular platform server versions.

Affected Version(s)

angular >= 22.0.0-next.0, < 22.0.0-rc.2 < 22.0.0-next.0, 22.0.0-rc.2

angular >= 21.0.0-next.0, < 21.2.16 < 21.0.0-next.0, 21.2.16

angular >= 20.0.0-next.0, < 20.3.24 < 20.0.0-next.0, 20.3.24

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/issues/68903
x_refsource_MISC
https://github.com/angular/domino/pull/29
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.