{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50556", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-04T21:34:34.426Z", "datePublished": "2026-06-22T15:38:28.166Z", "dateUpdated": "2026-06-22T21:17:45.731Z"}, "containers": {"cna": {"title": "Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx"}, {"name": "https://github.com/angular/angular/issues/68903", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/angular/issues/68903"}, {"name": "https://github.com/angular/domino/pull/29", "tags": ["x_refsource_MISC"], "url": "https://github.com/angular/domino/pull/29"}], "affected": [{"vendor": "angular", "product": "angular", "versions": [{"version": ">= 22.0.0-next.0, < 22.0.0-rc.2", "status": "affected"}, {"version": ">= 21.0.0-next.0, < 21.2.16", "status": "affected"}, {"version": ">= 20.0.0-next.0, < 20.3.24", "status": "affected"}, {"version": ">= 19.0.0-next.0, < 19.2.25", "status": "affected"}, {"version": "<= 18.2.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T15:38:28.166Z"}, "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."}], "source": {"advisory": "GHSA-gxx4-3xcv-f8qx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-22T21:14:35.418340Z", "id": "CVE-2026-50556", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T21:17:45.731Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-50556", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-22T21:14:35.418340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-22T21:14:41.249Z"}}], "cna": {"title": "Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR", "source": {"advisory": "GHSA-gxx4-3xcv-f8qx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "angular", "product": "angular", "versions": [{"status": "affected", "version": ">= 22.0.0-next.0, < 22.0.0-rc.2"}, {"status": "affected", "version": ">= 21.0.0-next.0, < 21.2.16"}, {"status": "affected", "version": ">= 20.0.0-next.0, < 20.3.24"}, {"status": "affected", "version": ">= 19.0.0-next.0, < 19.2.25"}, {"status": "affected", "version": "<= 18.2.14"}]}], "references": [{"url": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx", "name": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/angular/angular/issues/68903", "name": "https://github.com/angular/angular/issues/68903", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/angular/domino/pull/29", "name": "https://github.com/angular/domino/pull/29", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T15:38:28.166Z"}}}, "cveMetadata": {"cveId": "CVE-2026-50556", "state": "PUBLISHED", "dateUpdated": "2026-06-22T21:17:45.731Z", "dateReserved": "2026-06-04T21:34:34.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-22T15:38:28.166Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "@angular/platform-server: domino: Angular Platform Server: Cross-Site Scripting via unescaped `</noscript>` tags in dynamic content", "id": "2491459", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491459"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["A flaw was found in @angular/platform-server. This Cross-Site Scripting (XSS) vulnerability exists in its DOM emulation dependency, domino, when handling the content of `<noscript>` elements during server-side rendering. A remote attacker could exploit this by injecting unescaped closing `</noscript>` tags within dynamic text content. This allows for the execution of arbitrary code in the user's browser context, potentially leading to information disclosure or other malicious activities."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-50556", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "dotnet5.0-build-reference-packages", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "platform-server", "product_name": "Red Hat Fuse 7"}], "public_date": "2026-06-22T15:38:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-50556\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-50556\nhttps://github.com/angular/angular/issues/68903\nhttps://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx\nhttps://github.com/angular/domino/pull/29"], "statement": "This flaw has an Important impact as @angular/platform-server's DOM emulation dependency (domino) in Red Hat products does not properly escape closing noscript tags during server-side rendering. A remote unauthenticated attacker can inject a crafted closing noscript tag into dynamic text content, which is serialized unescaped into the output HTML. When a user visits the affected page, the injected script executes in their browser context, enabling session hijacking, credential theft, or arbitrary actions on behalf of the user.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[22.0.0-next.0,22.0.0-rc.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[21.0.0-next.0,21.2.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0-next.0,20.3.24)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[19.0.0-next.0,19.2.25)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,18.2.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "angular", "source": "cna", "vendor": "angular"}, "product": "angular", "vendor": "angular"}], "created": "2026-06-22T18:30:15.401673+00:00", "updated": "2026-06-22T20:30:06.168883+00:00", "vendors": ["angular", "angular$PRODUCT$angular"]}