CVE-2026-50556 Overview
CVE-2026-50556 is a Cross-Site Scripting (XSS) vulnerability in Angular's @angular/platform-server package, specifically affecting the DOM emulation dependency domino during Server-Side Rendering (SSR). The flaw occurs when dynamic text content bound inside <noscript> elements is serialized without escaping </noscript> closing tags. Attackers can inject script blocks that execute in the user's browser under the application's origin. The vulnerability is fixed in Angular versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25. The weakness is categorized under [CWE-79].
Critical Impact
Unescaped </noscript> sequences in template-bound text allow attackers to break out of <noscript> blocks and execute arbitrary JavaScript in the victim's browser context, enabling same-origin XSS against SSR-rendered Angular applications.
Affected Products
- Angular @angular/platform-server prior to 22.0.0-rc.2
- Angular @angular/platform-server prior to 21.2.16
- Angular @angular/platform-server prior to 20.3.24 and 19.2.25
Discovery Timeline
- 2026-06-22 - CVE-2026-50556 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-50556
Vulnerability Analysis
The vulnerability resides in how domino, the DOM emulation library used by @angular/platform-server for SSR, serializes the contents of <noscript> elements. Angular templates that bind dynamic text inside <noscript> (using {{ value }} or [textContent]) rely on the browser to treat that content as raw text and render it safely on the client.
Under SSR, domino runs with scripting enabled, which means <noscript> is treated as a raw-text element. However, domino's serializer omitted <noscript> from the list of raw-text elements that require escaping of closing tags. Dynamic text containing </noscript> was therefore serialized verbatim into the response HTML.
When a browser parses the resulting markup, the embedded </noscript> prematurely closes the <noscript> block. Any following <script> payload is then parsed and executed in the application's origin, producing a same-origin XSS condition.
Root Cause
The root cause is an incomplete raw-text element list in domino's HTML serializer. Because <noscript> was absent from that list, the serializer never escaped or sanitized </noscript> substrings inside bound text nodes, breaking Angular's expectation that the browser would treat the contents as inert raw text.
Attack Vector
Exploitation requires an Angular SSR application that binds attacker-influenced data into a <noscript> element. An attacker submits input containing a </noscript> sequence followed by a <script> payload. The SSR pipeline serializes the output and returns it to the victim, whose browser closes the <noscript> early and executes the injected script. The attack requires network access and user interaction (loading the rendered page).
See the GitHub Security Advisory GHSA-gxx4-3xcv-f8qx for additional technical detail.
Detection Methods for CVE-2026-50556
Indicators of Compromise
- HTTP responses from SSR endpoints containing the substring </noscript><script> inside a <noscript> block that originated from template-bound dynamic data.
- Browser console errors or Content Security Policy (CSP) violation reports referencing inline script execution on pages that should not emit inline scripts.
- User-supplied fields stored in backend datastores that contain </noscript> followed by HTML tags or JavaScript payloads.
Detection Strategies
- Inspect rendered HTML output of SSR routes for unescaped </noscript> sequences within <noscript> blocks bound to user-controlled data.
- Audit Angular templates for <noscript> elements containing interpolations such as {{ value }} or [textContent] bindings sourced from untrusted input.
- Scan installed Node.js dependencies for @angular/platform-server versions below the fixed releases and pinned domino versions lacking the serializer fix.
Monitoring Recommendations
- Enable strict CSP with script-src directives that disallow inline scripts and forward violation reports to a central collector.
- Log and alert on SSR responses whose body length or DOM structure deviates from expected baselines for routes that render user input.
- Track outbound dependency changes and CI build manifests to confirm patched Angular and domino versions are deployed.
How to Mitigate CVE-2026-50556
Immediate Actions Required
- Upgrade @angular/platform-server to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 depending on your major version.
- Update the transitive domino dependency to the version containing the serializer fix referenced in angular/domino Pull Request #29.
- Review SSR-rendered routes that bind untrusted input into <noscript> elements and temporarily strip </noscript> from those inputs at the application layer.
Patch Information
The vulnerability is fixed in Angular 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25. The underlying domino serializer fix is tracked in angular/domino Pull Request #29. Additional context is available in GitHub Issue #68903 and GitHub Security Advisory GHSA-gxx4-3xcv-f8qx.
Workarounds
- Avoid binding untrusted data inside <noscript> elements until the patch is deployed.
- Sanitize input server-side to remove or encode any </noscript> substrings before they reach template bindings.
- Deploy a strict Content Security Policy that blocks inline <script> execution to reduce the impact of injection.
# Configuration example: upgrade Angular SSR packages to a fixed release
npm install @angular/platform-server@21.2.16 @angular/core@21.2.16
npm ls domino
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

