VYPR
Vypr IntelligenceAI-generatedJun 15, 2026· 14 CVEs

Angular: 14 CVEs Disclosed Across Core Packages — XSS, DoS, SSRF, and Cache Poisoning

Angular disclosed 14 vulnerabilities across five core packages on June 15, 2026, spanning XSS, DoS, information disclosure, cache poisoning, and SSRF — with several bugs targeting SSR and hydration pipelines.

Key findings

  • 14 vulnerabilities disclosed across Angular core, common, compiler, platform-server, and service-worker packages
  • Four distinct XSS bugs found in template compiler, SSR serialization, and dynamic component creation
  • Two DoS vulnerabilities in DatePipe and DecimalPipe via unbounded format parameters
  • HttpTransferCache has weak 32-bit hashing and defaults to caching credentialed requests
  • SSRF bypass in platform-server exploits URL parser differential between WHATWG and Domino
  • All CVEs patched in the latest Angular release; no active exploitation reported

On June 15, 2026, the Angular team disclosed 14 security vulnerabilities across the framework's core packages — @angular/core, @angular/common, @angular/compiler, @angular/platform-server, and @angular/service-worker — all published within a two-hour window. The batch spans multiple bug classes, including cross-site scripting (XSS), denial of service (DoS), information disclosure, and server-side request forgery (SSRF), making it one of the most comprehensive coordinated disclosures in Angular's recent history. Users of Angular applications — especially those leveraging Server-Side Rendering (SSR), hydration, or the Service Worker — should review the patches immediately.

Cross-Site Scripting (XSS) Vulnerabilities

Four of the disclosed CVEs involve XSS, each exploiting a different mechanism in Angular's template compiler or SSR pipeline. CVE-2026-54265 in @angular/compiler allows bypassing DOM property sanitization through two-way property bindings on native properties such as innerHTML, srcdoc, src, href, data, or sandbox. CVE-2026-50557 affects both @angular/compiler and @angular/core by allowing namespaced script elements (e.g., <svg:script> or <:svg:script>) to evade Angular's element and attribute sanitization. CVE-2026-52725 in @angular/core permits mounting dynamic components directly onto <script> or namespaced script elements via createComponent. Finally, CVE-2026-50556 and CVE-2026-50555 in @angular/platform-server exploit missing or improper escaping in raw-text elements (<noscript>, <script>, <style>, <iframe>) during SSR serialization, allowing injected content to break out of the intended context.

Denial of Service via Out-of-Memory

Two high-severity DoS vulnerabilities target Angular's formatting utilities in @angular/common. CVE-2026-54268 affects the formatDate function (used by DatePipe), which fails to limit the length of the format parameter, enabling an attacker to trigger an out-of-memory condition with a maliciously crafted string. Similarly, CVE-2026-50171 targets formatNumber (used by DecimalPipe, PercentPipe, and CurrencyPipe), where unbounded fraction-digit values in the digitsInfo parameter can exhaust server or client memory.

Information Disclosure and Cache Poisoning

Several vulnerabilities involve Angular's HttpTransferCache, which caches HTTP requests during SSR for reuse during client hydration. CVE-2026-54266 reveals that the cache key is generated using a weak 32-bit hash, making it susceptible to collisions that can lead to cross-request data leakage and state poisoning. CVE-2026-50170 discloses that the HttpTransferCache caches credentialed requests by default, potentially leaking authentication tokens or session cookies to the client-side TransferState. CVE-2026-54267 describes a DOM clobbering attack against the hydration script tag, allowing an attacker to poison the response cache and inject arbitrary content.

Service Worker Policy Bypasses

The @angular/service-worker package is affected by three related issues. CVE-2026-54264 describes a failure to strip sensitive headers when the Service Worker follows cross-origin redirects, leading to header leakage. CVE-2026-50184 and CVE-2026-50169 both involve request reconstruction during asset interception, where credentials and cache policies are stripped from the reconstructed Request object, potentially downgrading security guarantees.

SSRF Allowlist Bypass

CVE-2026-50168 in @angular/platform-server exploits a parser differential between the strict WHATWG URL parser used for allowlist validation and the lenient Domino URL parser used internally. This allows an attacker to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints, enabling server-side request forgery (SSRF).

Patch Status and Mitigation

The Angular team has addressed all 14 vulnerabilities in the latest release. Users should upgrade to the most recent version of Angular and its associated packages (@angular/core, @angular/common, @angular/compiler, @angular/platform-server, @angular/service-worker). Applications using SSR with hydration or the Service Worker are at the highest risk and should prioritize patching. No in-the-wild exploitation has been reported at the time of disclosure.

Why This Batch Matters

This disclosure is notable for its breadth — covering five distinct attack surfaces (XSS, DoS, information disclosure, cache poisoning, and SSRF) across multiple Angular subsystems. The concentration of SSR- and hydration-related bugs underscores the complexity of securely serializing and rehydrating application state. Angular developers should treat this as a signal to audit their SSR configurations and ensure they are running the latest patched versions.

AI-written article. Grounded in 14 CVE records listed below.