Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50556

CVE-2026-50556: Angular Platform Server XSS Vulnerability

CVE-2026-50556 is a Cross-Site Scripting vulnerability in Angular's platform-server component that allows attackers to inject malicious scripts through noscript elements during SSR. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-50556 Overview

CVE-2026-50556 is a Cross-Site Scripting (XSS) vulnerability in Angular's @angular/platform-server package, specifically affecting the DOM emulation dependency domino during Server-Side Rendering (SSR). The flaw occurs when dynamic text content bound inside <noscript> elements is serialized without escaping </noscript> closing tags. Attackers can inject script blocks that execute in the user's browser under the application's origin. The vulnerability is fixed in Angular versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25. The weakness is categorized under [CWE-79].

Critical Impact

Unescaped </noscript> sequences in template-bound text allow attackers to break out of <noscript> blocks and execute arbitrary JavaScript in the victim's browser context, enabling same-origin XSS against SSR-rendered Angular applications.

Affected Products

  • Angular @angular/platform-server prior to 22.0.0-rc.2
  • Angular @angular/platform-server prior to 21.2.16
  • Angular @angular/platform-server prior to 20.3.24 and 19.2.25

Discovery Timeline

  • 2026-06-22 - CVE-2026-50556 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-50556

Vulnerability Analysis

The vulnerability resides in how domino, the DOM emulation library used by @angular/platform-server for SSR, serializes the contents of <noscript> elements. Angular templates that bind dynamic text inside <noscript> (using {{ value }} or [textContent]) rely on the browser to treat that content as raw text and render it safely on the client.

Under SSR, domino runs with scripting enabled, which means <noscript> is treated as a raw-text element. However, domino's serializer omitted <noscript> from the list of raw-text elements that require escaping of closing tags. Dynamic text containing </noscript> was therefore serialized verbatim into the response HTML.

When a browser parses the resulting markup, the embedded </noscript> prematurely closes the <noscript> block. Any following <script> payload is then parsed and executed in the application's origin, producing a same-origin XSS condition.

Root Cause

The root cause is an incomplete raw-text element list in domino's HTML serializer. Because <noscript> was absent from that list, the serializer never escaped or sanitized </noscript> substrings inside bound text nodes, breaking Angular's expectation that the browser would treat the contents as inert raw text.

Attack Vector

Exploitation requires an Angular SSR application that binds attacker-influenced data into a <noscript> element. An attacker submits input containing a </noscript> sequence followed by a <script> payload. The SSR pipeline serializes the output and returns it to the victim, whose browser closes the <noscript> early and executes the injected script. The attack requires network access and user interaction (loading the rendered page).

See the GitHub Security Advisory GHSA-gxx4-3xcv-f8qx for additional technical detail.

Detection Methods for CVE-2026-50556

Indicators of Compromise

  • HTTP responses from SSR endpoints containing the substring </noscript><script> inside a <noscript> block that originated from template-bound dynamic data.
  • Browser console errors or Content Security Policy (CSP) violation reports referencing inline script execution on pages that should not emit inline scripts.
  • User-supplied fields stored in backend datastores that contain </noscript> followed by HTML tags or JavaScript payloads.

Detection Strategies

  • Inspect rendered HTML output of SSR routes for unescaped </noscript> sequences within <noscript> blocks bound to user-controlled data.
  • Audit Angular templates for <noscript> elements containing interpolations such as {{ value }} or [textContent] bindings sourced from untrusted input.
  • Scan installed Node.js dependencies for @angular/platform-server versions below the fixed releases and pinned domino versions lacking the serializer fix.

Monitoring Recommendations

  • Enable strict CSP with script-src directives that disallow inline scripts and forward violation reports to a central collector.
  • Log and alert on SSR responses whose body length or DOM structure deviates from expected baselines for routes that render user input.
  • Track outbound dependency changes and CI build manifests to confirm patched Angular and domino versions are deployed.

How to Mitigate CVE-2026-50556

Immediate Actions Required

  • Upgrade @angular/platform-server to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 depending on your major version.
  • Update the transitive domino dependency to the version containing the serializer fix referenced in angular/domino Pull Request #29.
  • Review SSR-rendered routes that bind untrusted input into <noscript> elements and temporarily strip </noscript> from those inputs at the application layer.

Patch Information

The vulnerability is fixed in Angular 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25. The underlying domino serializer fix is tracked in angular/domino Pull Request #29. Additional context is available in GitHub Issue #68903 and GitHub Security Advisory GHSA-gxx4-3xcv-f8qx.

Workarounds

  • Avoid binding untrusted data inside <noscript> elements until the patch is deployed.
  • Sanitize input server-side to remove or encode any </noscript> substrings before they reach template bindings.
  • Deploy a strict Content Security Policy that blocks inline <script> execution to reduce the impact of injection.
bash
# Configuration example: upgrade Angular SSR packages to a fixed release
npm install @angular/platform-server@21.2.16 @angular/core@21.2.16
npm ls domino

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.