CVE-2026-11998 - Vulnerability Details

Description

A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session.

SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs.

This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3.

Note:
The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .

Published: 2026-06-24

Score: 7.6 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Contextual Escaping logic allows attackers to bypass the regular‑expression checks that protect resource URLs. By crafting specially formatted URLs, an attacker can inject executable JavaScript into the browser context when the URL is interpreted as a script or iframe source. This improper validation is classified as CWE‑791 and results in an XSS vulnerability that can be used to hijack sessions, steal credentials, deface webpages, or execute other malicious actions.

Affected Systems

All releases of AngularJS from version 1.2.0‑rc.3 onward are affected. The AngularJS project is end‑of‑life and will not receive any security updates, so the vulnerability remains unpatched in existing installations.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw by delivering a malicious resource URL to any AngularJS‑controlled page that permits untrusted input. The vulnerability is client‑side, which exists on every vulnerable page where user input can influence resource URLs. Consequently, the likelihood of exploitation in susceptible applications is high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Google

AngularJS

unaffected

Version	Status	Constraints
`>=1.2.0-rc.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Migrate all AngularJS 1.x usage to a supported modern framework or remove AngularJS from production sites.
Adopt a strict Content Security Policy that blocks inline scripts and disallows script execution originating from unsanitized URLs.
When removal is not feasible, data used to bind resource URLs with application‑specific logic before passing it to AngularJS.

Generated by OpenCVE AI on June 24, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://codepen.io/herodevs/pen/JobQdmz/5b3896f56fab66f20cd25e698cf3faa8
https://www.herodevs.com/vulnerability-directory/cve-2026-11998

History

Wed, 24 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session. SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs. This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .
Title		AngularJS XSS via SCE resource URL sanitization bypass
Weaknesses		CWE-791
References		https://codepen.io/herodevs/pen/JobQdmz/5b3896f56fab66f20cd25e698cf3faa8 https://www.herodevs.com/vulnerability-directory/cve-2026-11998
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: HeroDevs

Published: 2026-06-24T20:29:37.188Z

Updated: 2026-06-24T20:29:37.188Z

Reserved: 2026-06-11T15:46:34.897Z

Link: CVE-2026-11998

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T00:00:14Z

Weaknesses

CWE-791
Incomplete Filtering of Special Elements

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object