Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
Published: 2026-06-22
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Angular’s server–side rendering engine, where a missing escape check for </noscript> tags inside dynamically bound content allows a malicious closing tag to terminate the <noscript> element early. The browser then interprets the following user‑supplied script as executable code, enabling attackers to run arbitrary JavaScript in the victim’s browser context. This can lead to data theft, session hijacking, or further exploitation of the application, with a CVSS score of 8.6 indicating high severity.

Affected Systems

Angular versions prior to 22.0.0‑rc.2, 21.2.16, 20.3.24, and 19.2.25 are vulnerable. The issue is present in the @angular/platform‑server component which relies on the Domino DOM emulation library. Users of these Angular releases that employ server‑side rendering with <noscript> tags containing template bindings are at risk.

Risk and Exploitability

The vulnerability is considered high risk due to the lack of an escape mechanism for </noscript> during SSR, but the EPSS score is not available, making the precise likelihood of exploitation unclear. It is not listed in the CISA KEV catalog, suggesting no publicly reported exploits yet. The attack vector is a server‑side rendered application that accepts user‑controlled content in <noscript> elements; an attacker would need to provoke template rendering with malicious data containing </noscript>. Once triggered, the same‑origin XSS payload would execute with the privileges of the page.

Generated by OpenCVE AI on June 22, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to the fixed release – 22.0.0‑rc.2 or later, 21.2.16 or later, 20.3.24 or later, or 19.2.25 or later.
  • Eliminate or sanitize dynamic bindings inside <noscript> tags in SSR templates; replace them with static or safely escaped content.
  • If an update cannot be applied immediately, temporarily disable server‑side rendering or remove <noscript> elements from the rendering pipeline until the fix is deployed.

Generated by OpenCVE AI on June 22, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gxx4-3xcv-f8qx @angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
Title Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:38:28.166Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50556

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T18:30:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')