Description
A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session.


SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs.


This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3.


Note:
The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the  End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .
Published: 2026-06-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AngularJS includes a Strict Contextual Escaping subsystem that is supposed to filter resource URLs to prevent the execution of dangerous scripts. The flaw lies in the regular‑expression matching logic used to detect safe URLs; certain patterns trigger only a partial match, allowing a crafted URL to slip through the filter. An attacker can supply such a URL in a user‑controlled field that is bound to a resource URL, causing the browser to load and execute the embedded JavaScript within the victim’s session. The weakness is classified as CWE‑79 (Cross‑Site Scripting) and CWE‑791 (Untrusted Input), resulting in untrusted input being used in a security‑critical context.

Affected Systems

The affected product is AngularJS distributed by Google. All releases of AngularJS from version 1.2.0-rc.3 onward are vulnerable, and the project has reached End‑of‑Life, meaning no further security updates will be released.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity. An EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The client‑side attack vector allows a malicious actor to introduce a specially crafted URL into any AngularJS‑controlled page that accepts untrusted input. Because the flaw bypasses internal sanitization, an attacker who can influence content bound to a resource URL could hijack sessions, steal, or perform other malicious actions within the victim’s browser session.

Generated by OpenCVE AI on June 30, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Move all production sites away from AngularJS 1.x or replace it with a supported modern framework.
  • Implement a strict Content Security Policy that blocks inline scripts and prevents script execution from untrusted resource URLs.
  • Validate or sanitize data bound to resource URL bindings before passing it to AngularJS, restricting allowed protocols to trusted sources.

Generated by OpenCVE AI on June 30, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References
Metrics threat_severity

None

threat_severity

Important


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google angularjs
Vendors & Products Google
Google angularjs

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session. SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs. This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the  End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .
Title AngularJS XSS via SCE resource URL sanitization bypass
Weaknesses CWE-791
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L'}


Subscriptions

Google Angularjs
cve-icon MITRE

Status: PUBLISHED

Assigner: HeroDevs

Published:

Updated: 2026-07-15T01:23:02.488Z

Reserved: 2026-06-11T15:46:34.897Z

Link: CVE-2026-11998

cve-icon Vulnrichment

Updated: 2026-07-14T12:04:54.902Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T20:29:37Z

Links: CVE-2026-11998 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-791

    Incomplete Filtering of Special Elements