Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-54267 (GCVE-0-2026-54267)
Vulnerability from cvelistv5 – Published: 2026-06-22 15:30 – Updated: 2026-06-22 16:00
VLAI
EPSS
Title
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/angular/angular/security/advis… | x_refsource_CONFIRM |
| https://github.com/angular/angular/pull/69064 | x_refsource_MISC |
| https://github.com/angular/angular/commit/6bde84f… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-54267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:00:23.479828Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T16:00:36.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "angular",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
},
{
"status": "affected",
"version": "\u003c= 19.2.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application\u0027s runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a \u003cscript\u003e tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById(\u0027ng-state\u0027) and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., \u003cdiv [id]=\"userInput\"\u003e or \u003ca id=\"ng-state\"\u003e) before the genuine \u003cscript\u003e tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById(\u0027ng-state\u0027), the browser returns the attacker\u0027s clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-471",
"description": "CWE-471: Modification of Assumed-Immutable Data (MAID)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T15:30:48.699Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg"
},
{
"name": "https://github.com/angular/angular/pull/69064",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular/pull/69064"
},
{
"name": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa"
}
],
"source": {
"advisory": "GHSA-rgjc-h3x7-9mwg",
"discovery": "UNKNOWN"
},
"title": "Angular Client Hydration DOM Clobbering \u0026 Response-Cache Poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-54267",
"datePublished": "2026-06-22T15:30:48.699Z",
"dateReserved": "2026-06-12T17:13:32.279Z",
"dateUpdated": "2026-06-22T16:00:36.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-54267",
"date": "2026-06-27",
"epss": "0.00179",
"percentile": "0.07699"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-54267\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-22T16:00:23.479828Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-22T16:00:32.310Z\"}}], \"cna\": {\"title\": \"Angular Client Hydration DOM Clobbering \u0026 Response-Cache Poisoning\", \"source\": {\"advisory\": \"GHSA-rgjc-h3x7-9mwg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"angular\", \"product\": \"angular\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 22.0.0-next.0 \u003c 22.0.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 21.0.0-next.0 \u003c 21.2.17\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0-next.0 \u003c 20.3.25\"}, {\"status\": \"affected\", \"version\": \"\u003c= 19.2.25\"}]}], \"references\": [{\"url\": \"https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg\", \"name\": \"https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/angular/angular/pull/69064\", \"name\": \"https://github.com/angular/angular/pull/69064\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa\", \"name\": \"https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application\u0027s runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a \u003cscript\u003e tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById(\u0027ng-state\u0027) and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., \u003cdiv [id]=\\\"userInput\\\"\u003e or \u003ca id=\\\"ng-state\\\"\u003e) before the genuine \u003cscript\u003e tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById(\u0027ng-state\u0027), the browser returns the attacker\u0027s clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-471\", \"description\": \"CWE-471: Modification of Assumed-Immutable Data (MAID)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-22T15:30:48.699Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-54267\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-22T16:00:36.910Z\", \"dateReserved\": \"2026-06-12T17:13:32.279Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-22T15:30:48.699Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-54267
Vulnerability from fkie_nvd - Published: 2026-06-22 16:16 - Updated: 2026-06-26 19:35
Severity
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| angularjs | angularjs | * | |
| angularjs | angularjs | * | |
| angularjs | angularjs | * | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 | |
| angularjs | angularjs | 22.0.0 |
{
"affected": [
{
"affectedData": [
{
"product": "angular",
"vendor": "angular",
"versions": [
{
"status": "affected",
"version": "\u003e= 22.0.0-next.0 \u003c 22.0.1"
},
{
"status": "affected",
"version": "\u003e= 21.0.0-next.0 \u003c 21.2.17"
},
{
"status": "affected",
"version": "\u003e= 20.0.0-next.0 \u003c 20.3.25"
},
{
"status": "affected",
"version": "\u003c= 19.2.25"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D644738B-D0F5-42F8-A1E2-C1335B20AE22",
"versionEndIncluding": "19.2.25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A48DC038-6AC5-410D-BCE0-49FF58A9C79C",
"versionEndExcluding": "20.3.25",
"versionStartIncluding": "20.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B61B3E3-E68F-47D2-8EAE-2B18631590B0",
"versionEndExcluding": "21.2.17",
"versionStartIncluding": "21.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*",
"matchCriteriaId": "3CAB422E-FCB2-4AD0-8C6F-90F8DDCF046B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*",
"matchCriteriaId": "E3F939B4-3291-4AC7-B8A0-437981B44A15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*",
"matchCriteriaId": "5EF3D989-611A-4794-BF55-18E32CD6A37C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*",
"matchCriteriaId": "2D66CF2E-7578-41ED-8714-4BB4124E1BBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*",
"matchCriteriaId": "45E0B5CB-3D0D-4E94-B5B5-DA44868AFC56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*",
"matchCriteriaId": "DE5BE0D4-C971-4BDE-9208-A804D4D0F499",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*",
"matchCriteriaId": "2E2939BC-2B96-421F-9A92-213FC8E69958",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*",
"matchCriteriaId": "A6334AFE-E843-4DD0-8118-B843BB54D62F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*",
"matchCriteriaId": "9B7E0ECF-91DD-4F4A-B1A4-66A3380E0D52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*",
"matchCriteriaId": "8AA37933-9C41-4B5D-BB35-FC8BAD3FBB1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*",
"matchCriteriaId": "FD03563D-4DAC-4C3A-A89B-277C2109BC3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*",
"matchCriteriaId": "C42CDCDD-BCAF-4F2F-8A0D-703431BDA3AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*",
"matchCriteriaId": "07E4BC13-3946-4756-A10F-8DBDC812553C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*",
"matchCriteriaId": "B2AA884A-730A-45C6-83FE-104E9FD358EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6EA55F1C-F490-4E2F-9E93-5FF1C31FC78F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "83DB751D-E29B-4A3A-AA30-8BD6312700C8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "42DC4414-7737-4BE9-9DE9-9FCB60BFF6F7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application\u0027s runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a \u003cscript\u003e tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById(\u0027ng-state\u0027) and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., \u003cdiv [id]=\"userInput\"\u003e or \u003ca id=\"ng-state\"\u003e) before the genuine \u003cscript\u003e tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById(\u0027ng-state\u0027), the browser returns the attacker\u0027s clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
}
],
"id": "CVE-2026-54267",
"lastModified": "2026-06-26T19:35:20.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-54267",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T16:00:23.479828Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-22T16:16:39.457",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/angular/angular/pull/69064"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-471"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-RGJC-H3X7-9MWG
Vulnerability from github – Published: 2026-06-15 15:16 – Updated: 2026-06-15 15:16
VLAI
Summary
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
Details
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier:
<script type="application/json" id="ng-state">
{"some-api-url": {"body": ...}}
</script>
````
During client bootstrap, Angular recovers this state by looking up the element via `document.getElementById('ng-state')` and parsing its text content.
Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (`ng-state`), it is susceptible to **DOM Clobbering**.
If the application binds untrusted user input or CMS content to element properties such as `id` (e.g., `<div [id]="userInput">` or `<a id="ng-state">`) *before* the genuine `<script>` tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.
During hydration, when Angular calls `document.getElementById('ng-state')`, the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.
### Impact
By clobbering the state element, the attacker can inject a custom JSON payload into Angular's `TransferState` cache. The most critical exploitation vector is poisoning the **HTTP Transfer Cache**.
1. The attacker injects a clobbered `ng-state` element containing custom JSON.
2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice.
3. During client-side initialization, Angular's `HttpClient` checks `TransferState` before making requests. Finding the poisoned key, `HttpClient` returns the forged response instantly instead of requesting the genuine backend API.
Depending on how the application processes and renders the affected API response, this can lead to:
* **DOM-based Cross-Site Scripting (XSS)** if poisoned fields are rendered using unsafe bindings.
* **Privilege Escalation** by spoofing user info or session details retrieved from poisoned API payloads.
* **UI Hijacking** and redirection by spoofing configuration endpoints.
### Patched Versions
* 22.0.1
* 21.2.17
* 20.3.25
### Workarounds
If you cannot immediately update to a patched Angular version, apply the following workarounds:
#### A. Avoid Dynamic/User-Controlled IDs
Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:
```html
<!-- Vulnerable Pattern -->
<div [id]="userControlledInput">...</div>
<!-- Mitigated Pattern -->
<div [id]="'safe-prefix-' + userControlledInput">...</div>
B. Configure a Custom Application ID
Declaring a unique, non-predictable APP_ID changes the ID suffix of the state element, making it harder for attackers to predict and target:
// app.config.ts
import { APP_ID } from '@angular/core';
import { provideClientHydration } from '@angular/platform-browser';
export const appConfig = {
providers: [
{ provide: APP_ID, useValue: 'unique-obfuscated-app-id' },
provideClientHydration()
]
};
This changes the state element lookup ID from ng-state to unique-obfuscated-app-id-state.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@angular/core"
},
"ranges": [
{
"events": [
{
"introduced": "22.0.0-next.0"
},
{
"fixed": "22.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/core"
},
"ranges": [
{
"events": [
{
"introduced": "21.0.0-next.0"
},
{
"fixed": "21.2.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/core"
},
"ranges": [
{
"events": [
{
"introduced": "20.0.0-next.0"
},
{
"fixed": "20.3.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@angular/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "19.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54267"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T15:16:18Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports **Hydration** via `provideClientHydration()`. During SSR, Angular serializes the application\u0027s runtime state (such as cached `HttpClient` responses) and outputs it into the HTML stream as a `\u003cscript\u003e` tag with a predictable identifier:\n\n```html\n\u003cscript type=\"application/json\" id=\"ng-state\"\u003e\n {\"some-api-url\": {\"body\": ...}}\n\u003c/script\u003e\n````\n\nDuring client bootstrap, Angular recovers this state by looking up the element via `document.getElementById(\u0027ng-state\u0027)` and parsing its text content.\n\nBecause the DOM element lookup for the state container is predictable and relies solely on the ID selector (`ng-state`), it is susceptible to **DOM Clobbering**.\n\nIf the application binds untrusted user input or CMS content to element properties such as `id` (e.g., `\u003cdiv [id]=\"userInput\"\u003e` or `\u003ca id=\"ng-state\"\u003e`) *before* the genuine `\u003cscript\u003e` tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup.\n\nDuring hydration, when Angular calls `document.getElementById(\u0027ng-state\u0027)`, the browser returns the attacker\u0027s clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON.\n\n### Impact\n\nBy clobbering the state element, the attacker can inject a custom JSON payload into Angular\u0027s `TransferState` cache. The most critical exploitation vector is poisoning the **HTTP Transfer Cache**.\n\n1. The attacker injects a clobbered `ng-state` element containing custom JSON. \n2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker\u0027s choice. \n3. During client-side initialization, Angular\u0027s `HttpClient` checks `TransferState` before making requests. Finding the poisoned key, `HttpClient` returns the forged response instantly instead of requesting the genuine backend API.\n\nDepending on how the application processes and renders the affected API response, this can lead to:\n\n* **DOM-based Cross-Site Scripting (XSS)** if poisoned fields are rendered using unsafe bindings. \n* **Privilege Escalation** by spoofing user info or session details retrieved from poisoned API payloads. \n* **UI Hijacking** and redirection by spoofing configuration endpoints.\n\n### Patched Versions\n\n* 22.0.1 \n* 21.2.17 \n* 20.3.25\n\n### Workarounds\n\nIf you cannot immediately update to a patched Angular version, apply the following workarounds:\n\n#### A. Avoid Dynamic/User-Controlled IDs\n\nAvoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix:\n\n```html\n\u003c!-- Vulnerable Pattern --\u003e\n\u003cdiv [id]=\"userControlledInput\"\u003e...\u003c/div\u003e\n\n\u003c!-- Mitigated Pattern --\u003e\n\u003cdiv [id]=\"\u0027safe-prefix-\u0027 + userControlledInput\"\u003e...\u003c/div\u003e\n```\n\n#### B. Configure a Custom Application ID\n\nDeclaring a unique, non-predictable `APP_ID` changes the ID suffix of the state element, making it harder for attackers to predict and target:\n\n```ts\n// app.config.ts\n\nimport { APP_ID } from \u0027@angular/core\u0027;\nimport { provideClientHydration } from \u0027@angular/platform-browser\u0027;\n\nexport const appConfig = {\n providers: [\n { provide: APP_ID, useValue: \u0027unique-obfuscated-app-id\u0027 },\n provideClientHydration()\n ]\n};\n\n```\n\nThis changes the state element lookup ID from `ng-state` to `unique-obfuscated-app-id-state`.",
"id": "GHSA-rgjc-h3x7-9mwg",
"modified": "2026-06-15T15:16:18Z",
"published": "2026-06-15T15:16:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/angular/angular/security/advisories/GHSA-rgjc-h3x7-9mwg"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/pull/69064"
},
{
"type": "WEB",
"url": "https://github.com/angular/angular/commit/6bde84fa8e6a5770b54040fbbc9bf10d5d0386fa"
},
{
"type": "PACKAGE",
"url": "https://github.com/angular/angular"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Angular Client Hydration DOM Clobbering \u0026 Response-Cache Poisoning"
}
WID-SEC-W-2026-1930
Vulnerability from csaf_certbund - Published: 2026-06-15 22:00 - Updated: 2026-06-15 22:00Summary
Angular: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Angular ist ein TypeScript-basiertes Front-End-Webapplikationsframework. Es ist eine Weiterentwicklung des JavaScript basierten AngularJS.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Angular ausnutzen, um erweiterte Berechtigungen zu erlangen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuführen, einen Denial-of-Service-Zustand herbeizuführen, Daten zu manipulieren oder offenzulegen, Benutzer auf bösartige Websites umzuleiten oder Sitzungen zu kapern.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
Affected products
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Open Source Angular <19.2.23
Open Source / Angular
|
<19.2.23 | ||
|
Open Source Angular <20.3.22
Open Source / Angular
|
<20.3.22 | ||
|
Open Source Angular <21.2.15
Open Source / Angular
|
<21.2.15 | ||
|
Open Source Angular <22.0.0-rc.2
Open Source / Angular
|
<22.0.0-rc.2 | ||
|
Open Source Angular <22.0.1
Open Source / Angular
|
<22.0.1 | ||
|
Open Source Angular <19.2.22
Open Source / Angular
|
<19.2.22 | ||
|
Open Source Angular <20.3.25
Open Source / Angular
|
<20.3.25 | ||
|
Open Source Angular <21.2.17
Open Source / Angular
|
<21.2.17 |
References
13 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Angular ist ein TypeScript-basiertes Front-End-Webapplikationsframework. Es ist eine Weiterentwicklung des JavaScript basierten AngularJS.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Angular ausnutzen, um erweiterte Berechtigungen zu erlangen, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, einen Denial-of-Service-Zustand herbeizuf\u00fchren, Daten zu manipulieren oder offenzulegen, Benutzer auf b\u00f6sartige Websites umzuleiten oder Sitzungen zu kapern.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-1930 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1930.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-1930 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1930"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-692r-grfm-v8x7 vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-692r-grfm-v8x7"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-95qp-cmmw-mgqv vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-95qp-cmmw-mgqv"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-f3m7-gqxr-g87x vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-f3m7-gqxr-g87x"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-gv2q-mqqv-365m vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-gv2q-mqqv-365m"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-gxx4-3xcv-f8qx vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-gxx4-3xcv-f8qx"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-hqr9-c56f-3x7f vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-hqr9-c56f-3x7f"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-p3vc-36g9-x9gr vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-p3vc-36g9-x9gr"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-q6f4-qqrg-jv6x vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-q6f4-qqrg-jv6x"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-qxh6-94w6-9r5p vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-qxh6-94w6-9r5p"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-rgjc-h3x7-9mwg vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-rgjc-h3x7-9mwg"
},
{
"category": "external",
"summary": "GitHub Security Advisory GHSA-xrxm-cp7j-8xf6 vom 2026-06-15",
"url": "https://github.com/advisories/GHSA-xrxm-cp7j-8xf6"
}
],
"source_lang": "en-US",
"title": "Angular: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-06-15T22:00:00.000+00:00",
"generator": {
"date": "2026-06-16T09:04:52.763+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-1930",
"initial_release_date": "2026-06-15T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-06-15T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c22.0.1",
"product": {
"name": "Open Source Angular \u003c22.0.1",
"product_id": "T055406"
}
},
{
"category": "product_version",
"name": "22.0.1",
"product": {
"name": "Open Source Angular 22.0.1",
"product_id": "T055406-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:22.0.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c22.0.0-rc.2",
"product": {
"name": "Open Source Angular \u003c22.0.0-rc.2",
"product_id": "T055407"
}
},
{
"category": "product_version",
"name": "22.0.0-rc.2",
"product": {
"name": "Open Source Angular 22.0.0-rc.2",
"product_id": "T055407-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:22.0.0-rc.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c21.2.15",
"product": {
"name": "Open Source Angular \u003c21.2.15",
"product_id": "T055408"
}
},
{
"category": "product_version",
"name": "21.2.15",
"product": {
"name": "Open Source Angular 21.2.15",
"product_id": "T055408-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:21.2.15"
}
}
},
{
"category": "product_version_range",
"name": "\u003c20.3.22",
"product": {
"name": "Open Source Angular \u003c20.3.22",
"product_id": "T055409"
}
},
{
"category": "product_version",
"name": "20.3.22",
"product": {
"name": "Open Source Angular 20.3.22",
"product_id": "T055409-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:20.3.22"
}
}
},
{
"category": "product_version_range",
"name": "\u003c19.2.23",
"product": {
"name": "Open Source Angular \u003c19.2.23",
"product_id": "T055410"
}
},
{
"category": "product_version",
"name": "19.2.23",
"product": {
"name": "Open Source Angular 19.2.23",
"product_id": "T055410-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:19.2.23"
}
}
},
{
"category": "product_version_range",
"name": "\u003c21.2.17",
"product": {
"name": "Open Source Angular \u003c21.2.17",
"product_id": "T055411"
}
},
{
"category": "product_version",
"name": "21.2.17",
"product": {
"name": "Open Source Angular 21.2.17",
"product_id": "T055411-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:21.2.17"
}
}
},
{
"category": "product_version_range",
"name": "\u003c20.3.25",
"product": {
"name": "Open Source Angular \u003c20.3.25",
"product_id": "T055412"
}
},
{
"category": "product_version",
"name": "20.3.25",
"product": {
"name": "Open Source Angular 20.3.25",
"product_id": "T055412-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:20.3.25"
}
}
},
{
"category": "product_version_range",
"name": "\u003c19.2.22",
"product": {
"name": "Open Source Angular \u003c19.2.22",
"product_id": "T055413"
}
},
{
"category": "product_version",
"name": "19.2.22",
"product": {
"name": "Open Source Angular 19.2.22",
"product_id": "T055413-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:angular:angular:19.2.22"
}
}
}
],
"category": "product_name",
"name": "Angular"
}
],
"category": "vendor",
"name": "Open Source"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-50168",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50168"
},
{
"cve": "CVE-2026-50169",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50169"
},
{
"cve": "CVE-2026-50170",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50170"
},
{
"cve": "CVE-2026-50171",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50171"
},
{
"cve": "CVE-2026-50184",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50184"
},
{
"cve": "CVE-2026-50555",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50555"
},
{
"cve": "CVE-2026-50556",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50556"
},
{
"cve": "CVE-2026-50557",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-50557"
},
{
"cve": "CVE-2026-52725",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-52725"
},
{
"cve": "CVE-2026-54264",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-54264"
},
{
"cve": "CVE-2026-54267",
"product_status": {
"known_affected": [
"T055410",
"T055409",
"T055408",
"T055407",
"T055406",
"T055413",
"T055412",
"T055411"
]
},
"release_date": "2026-06-15T22:00:00.000+00:00",
"title": "CVE-2026-54267"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…