CVE-2026-50556
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
A Cross-Site Scripting (XSS) vulnerability exists in Angular's @angular/platform-server component when rendering dynamic content inside <noscript> elements during Server-Side Rendering (SSR). The domino library fails to escape the closing </noscript> tag, allowing injection of arbitrary scripts.
Risk Assessment
An attacker can execute arbitrary JavaScript in the victim's browser, leading to session theft, account takeover, or content manipulation.
Recommendation
Upgrade Angular to version 22.0.0-rc.2, 21.2.16, 20.3.24, or 19.2.25 depending on your branch. If upgrading is not possible, avoid using template bindings inside <noscript> elements.
Original NVD description (English source)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.

