PatchSiren cyber security CVE debrief
CVE-2026-50555 angular CVE debrief
CVE-2026-50555 is a high-severity Cross-Site Scripting (XSS) vulnerability in Angular's @angular/platform-server's DOM emulation dependency (domino). The vulnerability exists when serializing the content of raw-text elements, such as <script>, <style>, and <iframe>, due to a Unicode index alignment bug in the escaping logic. This bug allows an attacker to supply a payload containing both an astral Unicode character and a closing tag, leading to same-origin Cross-Site Scripting (XSS). The vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
- Vendor
- angular
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-26
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-26
Who should care
Developers and administrators using Angular's @angular/platform-server are at risk and should prioritize patching. This vulnerability can lead to same-origin Cross-Site Scripting (XSS) attacks, allowing attackers to execute arbitrary JavaScript code on the client-side. The vulnerability has a high CVSS score of 8.6, indicating a significant risk to affected systems.
Technical summary
The vulnerability exists in the domino library used by @angular/platform-server. When serializing raw-text elements, domino supports escaping to prevent closing-tag breakout. However, a Unicode index alignment bug causes the escaping logic to fail when the bound dynamic text contains astral Unicode characters before the closing tag. This allows an attacker to supply a payload that, when serialized, leaves the closing tag raw and unescaped in the output HTML. The browser then parses the unescaped closing tag, exits the raw-text context early, and executes the subsequent <script> block, leading to same-origin Cross-Site Scripting (XSS).
Defensive priority
High priority should be given to patching affected systems. Developers should update to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 as soon as possible. In the meantime, ensure that user input is properly sanitized and validated to prevent the injection of malicious payloads.
Recommended defensive actions
- Update to 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25
- Implement additional input validation and sanitization for user-supplied data
- Monitor for suspicious activity and implement logging and alerting for potential XSS attacks
- Consider implementing Content Security Policy (CSP) to further mitigate XSS risks
- Review and update existing security policies and procedures to address this vulnerability
Evidence notes
The CVE record and NVD detail provide comprehensive information about the vulnerability, including its description, CVSS score, and affected versions. The source item URL provides additional information about the vulnerability, including references to mitigation and vendor references.
Official resources
-
CVE-2026-50555 CVE record
CVE.org
-
CVE-2026-50555 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
This article is AI-assisted and based on the supplied source corpus.