Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25.
Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
Problem type
Affected products
angular
>= 22.0.0-next.0, < 22.0.0-rc.2 - AFFECTED
>= 21.0.0-next.0, < 21.2.16 - AFFECTED
>= 20.0.0-next.0, < 20.3.24 - AFFECTED
>= 19.0.0-next.0, < 19.2.25 - AFFECTED
<= 18.2.14 - AFFECTED
References
https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx
https://github.com/angular/angular/issues/68903
https://github.com/angular/domino/pull/29
GitHub Security Advisories
GHSA-gxx4-3xcv-f8qx
@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
https://github.com/advisories/GHSA-gxx4-3xcv-f8qxA Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements.
When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element.
However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances.
The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS).
Impact
This vulnerability allows an attacker to perform same-origin Cross-Site Scripting (XSS) attacks against any user visiting an SSR-rendered page that binds user-controlled data inside a <noscript> element. This can lead to session hijacking, credentials theft, unauthorized actions on behalf of users, and defacement.
Patched Versions
- 22.0.0-rc.2
- 21.2.16
- 20.3.24
- 19.2.25
Workarounds
If you cannot immediately update your dependencies, you can:
- Avoid binding user-controlled values inside
<noscript>elements. - Sanitize any user input placed inside
<noscript>to explicitly strip closing</noscript>tags before passing it to the template.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-50556Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-50556",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:17:45.731Z",
"dateReserved": "2026-06-04T21:34:34.426Z",
"datePublished": "2026-06-22T15:38:28.166Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T15:38:28.166Z"
},
"title": "Angular: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR",
"descriptions": [
{
"lang": "en",
"value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of <noscript> elements. When rendering dynamic text content inside a <noscript> element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning <noscript> is treated as a raw-text element. However, domino's serializer completely omitted <noscript> from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of </noscript> in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the output HTML (e.g. <noscript></noscript><script>alert(1)</script></noscript>). When parsed by a browser, it closes the <noscript> block early, allowing the injected <script> block to execute in the user's browser context, causing same-origin Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25."
}
],
"affected": [
{
"vendor": "angular",
"product": "angular",
"versions": [
{
"version": ">= 22.0.0-next.0, < 22.0.0-rc.2",
"status": "affected"
},
{
"version": ">= 21.0.0-next.0, < 21.2.16",
"status": "affected"
},
{
"version": ">= 20.0.0-next.0, < 20.3.24",
"status": "affected"
},
{
"version": ">= 19.0.0-next.0, < 19.2.25",
"status": "affected"
},
{
"version": "<= 18.2.14",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx",
"name": "https://github.com/angular/angular/security/advisories/GHSA-gxx4-3xcv-f8qx",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/angular/angular/issues/68903",
"name": "https://github.com/angular/angular/issues/68903",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/angular/domino/pull/29",
"name": "https://github.com/angular/domino/pull/29",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T21:17:45.731Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}