PatchSiren cyber security CVE debrief
CVE-2026-50557 angular CVE debrief
CVE-2026-50557 is a medium-severity vulnerability in Angular that allows an attacker to bypass element and attribute sanitization/validation, leading to client-side Cross-Site Scripting (XSS). The issue arises from the improper identification of namespaced script elements and inconsistent handling of attributes within namespaced elements. This vulnerability affects various versions of Angular, including those prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22. The vulnerability has been fixed in the mentioned versions. An attacker can inject or supply a template/tag structure with custom namespaces to exploit this vulnerability. The CVSS score for this vulnerability is 5.3, indicating a medium severity level.
- Vendor
- angular
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-26
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-26
Who should care
Developers and administrators using Angular versions prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22 should be aware of this vulnerability and take necessary actions to upgrade to the fixed versions. Additionally, security teams and vulnerability managers should prioritize this medium-severity vulnerability and ensure that affected systems are patched.
Technical summary
The vulnerability is caused by the improper identification of namespaced script elements (e.g., <svg:script> or <:svg:script>) by the Angular template preparser. This allows them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes do not consistently handle attributes within namespaced elements (like SVG and MathML), creating gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. An attacker can exploit this vulnerability by injecting or supplying a template/tag structure with custom namespaces, enabling them to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS).
Defensive priority
This medium-severity vulnerability requires prompt attention from developers and administrators using affected Angular versions. Upgrading to the fixed versions (22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.22) is crucial to prevent potential client-side XSS attacks.
Recommended defensive actions
- Upgrade to Angular version 22.0.0-rc.2 or later
- Upgrade to Angular version 21.2.15 or later
- Upgrade to Angular version 20.3.22 or later
- Upgrade to Angular version 19.2.22 or later
- Review and update affected systems and applications
- Monitor for potential exploitation attempts
Evidence notes
The CVE-2026-50557 vulnerability is documented in the official CVE record and NVD detail pages. The vulnerability affects various versions of Angular, and the fixes are available in the mentioned versions. The CVSS score for this vulnerability is 5.3, indicating a medium severity level.
Official resources
-
CVE-2026-50557 CVE record
CVE.org
-
CVE-2026-50557 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
This article is AI-assisted and based on the supplied source corpus.