Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50555

CVE-2026-50555: Angular Platform Server XSS Vulnerability

CVE-2026-50555 is a cross-site scripting flaw in Angular's platform-server DOM emulation that allows attackers to execute malicious scripts during SSR. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-50555 Overview

CVE-2026-50555 is a Cross-Site Scripting (XSS) vulnerability in Angular's @angular/platform-server package, specifically in its DOM emulation dependency domino. The flaw resides in the serialization logic for raw-text elements such as <script>, <style>, and <iframe>. A Unicode index alignment bug allows attackers to bypass closing-tag escaping when astral Unicode characters appear before a closing tag in bound dynamic text. Successful exploitation during Server-Side Rendering (SSR) leads to same-origin script execution in the victim's browser. The issue is classified as [CWE-79] Improper Neutralization of Input During Web Page Generation.

Critical Impact

Attackers who control server-rendered dynamic text can achieve same-origin XSS in Angular SSR applications, leading to session theft, account takeover, and arbitrary action execution as the victim user.

Affected Products

  • Angular @angular/platform-server versions prior to 22.0.0-rc.2
  • Angular @angular/platform-server versions prior to 21.2.16
  • Angular @angular/platform-server versions prior to 20.3.24 and 19.2.25

Discovery Timeline

  • 2026-06-22 - CVE-2026-50555 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-50555

Vulnerability Analysis

The vulnerability stems from how domino escapes closing tags inside raw-text HTML elements during serialization. JavaScript measures string length and character indices in UTF-16 code units. Astral Unicode characters such as emojis occupy two code units (a surrogate pair) instead of one. The escape logic in domino calculated replacement offsets assuming a one-to-one character mapping. When bound dynamic text contained astral characters before a closing tag, the index offset shifted and the replacement routine skipped the tag entirely.

As a result, sequences such as </script>, </style>, or </iframe> were emitted to the rendered HTML without escaping. The browser then exits the raw-text parsing context prematurely and treats subsequent markup as live HTML.

Root Cause

The root cause is a numeric indexing mismatch between Unicode code points and UTF-16 code units inside domino's raw-text serializer. The escape function used positional arithmetic that did not account for surrogate pairs. This caused targeted closing tags to remain unescaped whenever astral characters preceded them in the bound text.

Attack Vector

Exploitation requires an Angular SSR application that binds attacker-controlled text into a raw-text element such as <script>, <style>, or <iframe>. The attacker supplies a payload containing an astral Unicode character followed by a closing tag and an injected script, for example 😀</iframe><script>alert(1)</script>. During SSR, domino serializes the document and fails to escape the closing tag. The browser receives unescaped HTML, terminates the raw-text context, and executes the injected <script> in the application's origin. Because execution occurs in the same origin, the attacker can read cookies, perform authenticated requests, and pivot to further account compromise.

No verified public proof-of-concept code is available beyond the payload pattern documented in the Angular GitHub Security Advisory and the upstream fix in the domino Pull Request.

Detection Methods for CVE-2026-50555

Indicators of Compromise

  • Server-rendered HTML responses containing unescaped </script>, </style>, or </iframe> tags inside bound dynamic text regions.
  • HTTP request parameters or stored content containing astral Unicode characters (emojis, mathematical symbols) immediately followed by HTML closing tags.
  • Outbound requests from client browsers to attacker-controlled domains shortly after rendering pages that include user-supplied content.

Detection Strategies

  • Inspect SSR output for the regex pattern combining a surrogate pair followed by </script, </style, or </iframe (case-insensitive).
  • Run dependency audits (npm ls @angular/platform-server and npm ls domino) to identify vulnerable versions across build pipelines.
  • Add server-side logging of rendered HTML fragments that include user-controlled fields and alert on closing-tag sequences appearing within raw-text contexts.

Monitoring Recommendations

  • Enable a strict Content Security Policy (CSP) with script-src nonces and monitor CSP violation reports for inline script execution attempts.
  • Monitor Web Application Firewall (WAF) logs for request bodies containing astral characters adjacent to HTML closing tags in fields rendered server-side.
  • Track Angular and domino package versions through Software Bill of Materials (SBOM) tooling and alert on builds that fall behind the fixed releases.

How to Mitigate CVE-2026-50555

Immediate Actions Required

  • Upgrade @angular/platform-server to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 depending on the major version in use.
  • Rebuild and redeploy all SSR application bundles to ensure the patched domino dependency is pulled into production artifacts.
  • Audit application templates for bindings that interpolate user-controlled text inside <script>, <style>, or <iframe> elements and refactor where possible.

Patch Information

The Angular team fixed the issue in @angular/platform-server versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25. The underlying serializer fix lives in domino and is documented in the domino Pull Request #29. Full advisory details are published in the Angular Security Advisory GHSA-hqr9-c56f-3x7f.

Workarounds

  • Avoid binding user-controlled text directly inside raw-text elements; render such content in standard elements where Angular's default escaping applies.
  • Strip or reject astral Unicode characters from inputs that flow into <script>, <style>, or <iframe> bindings until the patched version is deployed.
  • Enforce a strict CSP with nonces or hashes to prevent execution of injected inline scripts even if the closing-tag bypass occurs.
bash
# Upgrade Angular platform-server to a patched release
npm install @angular/platform-server@21.2.16 --save

# Verify resolved domino version in the dependency tree
npm ls domino

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.