Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50557

CVE-2026-50557: Angular Namespace Bypass XSS Vulnerability

CVE-2026-50557 is a Cross-Site Scripting flaw in Angular that allows attackers to bypass sanitization through namespaced elements. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-50557 Overview

CVE-2026-50557 is a client-side Cross-Site Scripting (XSS) vulnerability in the @angular/compiler and @angular/core packages. The flaw allows attackers to bypass Angular's element and attribute sanitization by abusing namespaced elements such as <svg:script> or <:svg:script>. The Angular template preparser fails to identify these namespaced variants as script elements, so they survive template compilation. Inconsistent security context schema mappings for attributes in SVG and MathML namespaces compound the issue. An attacker who can inject a template or tag structure with custom namespaces can execute arbitrary JavaScript in the victim's browser. The vulnerability is tracked under [CWE-79] and is fixed in Angular versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22.

Critical Impact

Successful exploitation results in client-side script execution in the user's browser session, enabling session theft, credential harvesting, and unauthorized actions performed as the authenticated user.

Affected Products

  • Angular @angular/compiler prior to versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22
  • Angular @angular/core prior to versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22
  • Angular applications that compile or render templates containing untrusted markup

Discovery Timeline

  • 2026-06-22 - CVE-2026-50557 published to NVD
  • 2026-06-22 - Last updated in NVD database

Technical Details for CVE-2026-50557

Vulnerability Analysis

The vulnerability arises from two cooperating weaknesses in Angular's template processing pipeline. First, the template preparser identifies script elements by tag name without normalizing namespace prefixes. Tags such as <svg:script> and <:svg:script> therefore pass through the script-stripping logic untouched. Second, the security context schema that maps element attributes to sanitization rules does not consistently apply to attributes within namespaced elements like SVG and MathML. Attributes such as event handlers or href variants on namespaced elements escape both compile-time and runtime sanitization. When chained, these gaps allow attacker-supplied template fragments to embed executable script content that Angular would normally remove.

Root Cause

The root cause is incomplete namespace handling in Angular's sanitization layer. Tag identification and attribute security context lookups assume non-namespaced names. Namespaced variants bypass the allowlist comparisons used by the preparser and the schema-driven attribute sanitizer.

Attack Vector

Exploitation requires that an application accept template content, dynamic markup, or tag structures from an untrusted source and render them through Angular's templating system. An attacker crafts payloads using namespaced script tags such as <svg:script> or namespaced attribute names on SVG and MathML elements. User interaction is required, consistent with typical reflected or DOM-based XSS scenarios. No verified public exploit code was available at the time of publication. Refer to the Angular Security Advisory GHSA-f3m7-gqxr-g87x for technical details.

Detection Methods for CVE-2026-50557

Indicators of Compromise

  • HTTP request or stored content containing namespaced script tags such as <svg:script>, <:svg:script>, or <math:script>
  • Template fragments or user-controlled inputs that embed SVG or MathML elements carrying event-handler attributes like onload, onerror, or onclick
  • Application logs showing rendering of dynamic templates that include xmlns declarations from untrusted sources

Detection Strategies

  • Inventory Angular projects and identify versions of @angular/core and @angular/compiler below 19.2.22, 20.3.22, 21.2.15, or 22.0.0-rc.2 using software composition analysis.
  • Inspect application code for use of bypassSecurityTrustHtml, innerHTML binding, or dynamic template compilation with untrusted input.
  • Add web application firewall rules to flag payloads containing namespaced script tag patterns in request bodies and query strings.

Monitoring Recommendations

  • Monitor browser-side errors and Content Security Policy (CSP) violation reports for unexpected inline script executions on Angular routes.
  • Log and review outbound network connections initiated from client browsers to domains not associated with the application.
  • Track changes to package manifests (package.json, package-lock.json) in CI/CD pipelines to ensure patched Angular versions remain pinned.

How to Mitigate CVE-2026-50557

Immediate Actions Required

  • Upgrade @angular/compiler and @angular/core to 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.22 depending on the major version in use.
  • Audit application code paths that render user-supplied HTML, SVG, or MathML content through Angular templates or DomSanitizer bypass methods.
  • Enforce a strict Content Security Policy that disallows inline scripts and restricts allowed script sources.

Patch Information

The Angular team released fixes in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22. The corrective changes are documented in GitHub Pull Request #68689 and GitHub Pull Request #68868. Full advisory details are available in the GitHub Security Advisory GHSA-f3m7-gqxr-g87x.

Workarounds

  • Reject or strip SVG and MathML namespaces from untrusted input before it reaches Angular's template rendering pipeline.
  • Avoid passing user-controlled data to DomSanitizer.bypassSecurityTrustHtml or similar trust-bypass APIs.
  • Apply server-side HTML sanitization with a library that normalizes namespace prefixes prior to delivering content to the client.
bash
# Configuration example: upgrade Angular packages to patched versions
npm install @angular/core@19.2.22 @angular/compiler@19.2.22 --save
# or for the 20.x line
npm install @angular/core@20.3.22 @angular/compiler@20.3.22 --save
# or for the 21.x line
npm install @angular/core@21.2.15 @angular/compiler@21.2.15 --save

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.