`). When parsed by a browser, it closes the `

` block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS).\n\n### Impact\n\nThis vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside a `<noscript>` element. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement.\n\n### Patched Versions\n\n- 22.0.0-rc.2\n- 21.2.16\n- 20.3.24\n- 19.2.25\n\n### Workarounds\n\nIf you cannot immediately update your dependencies, you can:\n\n- Avoid binding user-controlled values inside `<noscript>` elements.\n- Sanitize any user input placed inside `<noscript>` to explicitly strip closing `

` tags before passing it to the template.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50556"]},"keywords":"CVE-2026-50556, high, Angular Angular","mentions":[{"@type":"SoftwareApplication","name":"Angular","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Angular"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-50556","item":"https://portal.vyprsec.ai/cves/CVE-2026-50556"}]}]}

High severity8.6GHSA Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR

CVE-2026-50556

Description

An XSS vulnerability in Angular's SSR domino dependency fails to escape ` inside ` elements, allowing script injection when user-controlled data is bound.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XSS vulnerability in Angular's SSR `domino` dependency fails to escape `` inside `` elements, allowing script injection when user-controlled data is bound.

Vulnerability

A Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of ` elements during Server-Side Rendering (SSR). When dynamic text content is bound inside a element via template bindings such as {{ value }} or [textContent], the domino serializer omits from the list of raw-text elements requiring closing-tag escaping [1][2]. This causes any occurrence of in the bound dynamic text to remain unescaped, allowing an attacker to break out of the block. The vulnerability affects Angular versions prior to 19.2.25, 20.3.24, 21.2.16, and 22.0.0-rc.2` [3].

Exploitation

An attacker needs to inject user-controlled data into an Angular template that binds that data inside a ` element under SSR. The attacker can include a string such as in the bound value [2][3]. The domino serializer outputs this string unescaped into the HTML sent to the client (e.g., ). When the browser parses the HTML, it treats the injected as a closing tag, allowing the subsequent ` block to execute. No authentication or special network position beyond the ability to provide the input is required [2][3].

Impact

Successful exploitation enables same-origin XSS, allowing the attacker to execute arbitrary JavaScript in the victim's browser context. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, and website defacement [2][3]. The attacker gains the full privileges of the authenticated user within the application.

Mitigation

Angular patched the vulnerability in versions 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25 by updating the domino dependency to include proper escaping of ` in raw-text serialization [1][3]. Users should upgrade to one of these fixed versions or later. If upgrading immediately is not possible, workarounds include avoiding binding user-controlled values inside elements, or sanitizing user input to explicitly strip any ` string before passing it to the template [2][3].

References

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Angular/AngularGHSA
Range: <= 18.2.14

Patches

f74cccd49628

fixup! fix: Escapes </noscript in raw text when scripting enabled

https://github.com/angular/dominoSkyZeroZxMay 26, 2026via ghsa-ref

commit PR #29

2 files changed · +4 −7

lib/NodeUtils.js+3 −4 modified

@@ -29,6 +29,7 @@ var hasRawContent = {
   XMP: true,
   IFRAME: true,
   NOEMBED: true,
+  NOSCRIPT: true,
   NOFRAMES: true,
   PLAINTEXT: true
 };
@@ -195,8 +196,7 @@ function serializeOne(kid, parent) {
         // If an element can have raw content, this content may
         // potentially require escaping to avoid XSS.
         var upperTag = tagname.toUpperCase();
-        if (hasRawContent[upperTag] ||
-            (upperTag === 'NOSCRIPT' && kid.ownerDocument._scripting_enabled)) {
+        if (hasRawContent[upperTag]) {
           ss = escapeMatchingClosingTag(ss, tagname);
         }
         if (html && extraNewLine[tagname] && ss.charAt(0)==='\n') s += '\n';
@@ -214,8 +214,7 @@ function serializeOne(kid, parent) {
       else
         parenttag = '';
 
-      if (hasRawContent[parenttag] ||
-          (parenttag==='NOSCRIPT' && parent.ownerDocument._scripting_enabled)) {
+      if (hasRawContent[parenttag]) {
         s += kid.data;
       } else {
         s += escape(kid.data);

test/xss.js+1 −3 modified

@@ -180,13 +180,11 @@ exports.styleMatchingClosingTagSkipsUnclosedCommentedContent = function () {
 };
 
 exports.noscriptMatchingClosingTagInRawText = function () {
-  // Use a parsed document so `_scripting_enabled` is true, matching how
-  // Angular SSR / platform-server uses domino. With scripting enabled,
   // <noscript> is a raw-text element on serialization and its text data
   // must have any `</noscript` closing-tag prefix escaped, otherwise an
   // attacker-controlled text payload can break out and inject a live
   // <script> sibling in the receiving browser.
-  const document = domino.createDocument('<!doctype html><html><body></body></html>');
+  const document = domino.createDocument('');
   const noscript = document.createElement('noscript');
   noscript.textContent = 'abc</noscript><script>alert(1)</script>';
   document.body.appendChild(noscript);

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000