Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
Published: 2026-06-22
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in Angular’s server–side rendering engine, where a missing escape check for </noscript> tags inside dynamically bound content allows a malicious closing tag to terminate the <noscript> element early. The browser then interprets the following user‑supplied script as executable code, enabling attackers to run arbitrary JavaScript in the victim’s browser context. This can lead to data theft, session hijacking, or further exploitation of the application, with a CVSS score of 8.6 indicating high severity.

Affected Systems

Angular versions prior to 22.0.0‑rc.2, 21.2.16, 20.3.24, and 19.2.25 are vulnerable. The issue is present in the @angular/platform‑server component which relies on the Domino DOM emulation library. Users of these Angular releases that employ server‑side rendering with <noscript> tags containing template bindings are at risk.

Risk and Exploitability

The vulnerability is considered high risk due to the lack of an escape mechanism for </noscript> during SSR, but the EPSS score is not available, making the precise likelihood of exploitation unclear. It is not listed in the CISA KEV catalog, suggesting no publicly reported exploits yet. The attack vector is a server‑side rendered application that accepts user‑controlled content in <noscript> elements; an attacker would need to provoke template rendering with malicious data containing </noscript>. Once triggered, the same‑origin XSS payload would execute with the privileges of the page.

Generated by OpenCVE AI on June 22, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to the fixed release – 22.0.0‑rc.2 or later, 21.2.16 or later, 20.3.24 or later, or 19.2.25 or later.
  • Eliminate or sanitize dynamic bindings inside <noscript> tags in SSR templates; replace them with static or safely escaped content.
  • If an update cannot be applied immediately, temporarily disable server‑side rendering or remove <noscript> elements from the rendering pipeline until the fix is deployed.

Generated by OpenCVE AI on June 22, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gxx4-3xcv-f8qx @angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Important


Tue, 23 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
Title Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-03T12:04:57.639Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50556

cve-icon Vulnrichment

Updated: 2026-07-03T12:04:57.639Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-22T15:38:28Z

Links: CVE-2026-50556 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T20:30:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')