CVE-2026-50555

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.16, 20.3.24, and 19.2.25, a Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino wh...

CVE-2026-54298

Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props ...

PT-2026-49739

Name of the Vulnerable Software and Affected Versions Astro versions prior to 6.4.6 Description The spreadAttributes function in the server-side rendering pipeline iterates over object keys and passes them to the addAttribute function, which interpolates the key into the HTML output without...

@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)

A Denial of Service DoS vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted,...

PT-2026-49565

Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.0-rc.2 Angular versions prior to 21.2.16 Angular versions prior to 20.3.24 Angular versions prior to 19.2.25 Description A Cross-Site Scripting XSS issue exists in the domino DOM emulation dependency of...

CVE-2026-44437

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly...

Authentication Bypass Using an Alternate Path or Channel

Overview @nuxt/nitro-server is a Nitro server integration for Nuxt Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the route middleware. An attacker can gain unauthorized access to server-rendered page content by directly requesting...

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements used in an Expression Language Statement 'Expression Language Injection' in the server-side template rendering mechanism used by the gadget handler. An attacker can execute arbitrary commands,...

CVE-2026-4643

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking window.close in the renderer context, leading to...

PT-2026-39328

Name of the Vulnerable Software and Affected Versions Hono versions prior to 4.12.18 Description The JSX renderer escapes style attribute object values for HTML but not for CSS. When untrusted input is interpolated into a JSX style object and rendered server-side, characters that act as CSS...

@cosla/sensemaking-web-ui (>=1.0.5 <=1.0.8), @manniwatch/client-desktop (>=0.30.0 <=0.30.1) +3 more potentially affected by CVE-2026-44437 via @angular/ssr (>=19.0.5 <=19.2.19)

@angular/ssr NPM version =19.0.5, =1.0.5, =0.30.0, =0.30.0, =19.0.0-alpha.20, =19.0.0-alpha.20, =19.0.0-alpha.24 Source cves: CVE-2026-44437 Source advisory: SNYK:JS-ANGULARSSR-16438975...

@docgeni/angular (=21.0.1), @jamelyassin/shadcn-angular (>=1.0.3 <=1.0.4) +15 more potentially affected by CVE-2026-44437 via @angular/ssr (>=21.1.2 <=21.2.7)

@angular/ssr NPM version =21.1.2, =1.0.3, =1.1.0, =2.0.0, =1.0.0, =0.0.2, =0.5.0, =0.1.2, =1.0.0, =0.0.2, =0.0.3-beta.1 and more Source cves: CVE-2026-44437 Source advisory: OSV:GHSA-69XR-M8H6-H664...

PT-2026-34233

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

PT-2026-28572

Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8 Description Handlebars allows users to build semantic templates. A crafted object placed in the template context can bypass conditional guards in the resolvePartial function, causing invokePartial to...

Command Injection

Overview indico is a conference lifecycle management and meeting/lecture scheduling tool. Affected versions of this package are vulnerable to Command Injection due to insufficient sanitization of LaTeX syntax. An attacker can execute arbitrary code or access local files by submitting...

GHSA-7J2X-32W6-P43P SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()

Summary The ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of s...

@hmcts/media-viewer (>=4.2.16-exui-4425 <=4.2.16-exui-4425-rel1) potentially affected by CVE-2026-33397 via @angular/ssr (=20.3.18)

@angular/ssr NPM version =20.3.18 is affected by a known vulnerability. The following packages have a transitive dependency on @angular/ssr and may be impacted: - @hmcts/media-viewer =4.2.16-exui-4425, =4.2.16-exui-4425-rel1 Source cves: CVE-2026-33397 Source advisory: OSV:GHSA-VFX2-HV2G-XJ5F...

CVE-2026-27901

Svelte performance oriented web framework. Prior to version 5.53.5, the contents of bind:innerText and bind:textContent on contenteditable elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting XSS if rendering untrusted data as the binding's initial value o...

Server-side Request Forgery (SSRF)

Overview @angular-devkit/build-angular is an Angular Webpack Build Facade Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request handling pipeline due to improper validation of user-controlled HTTP headers such as Host and X-Forwarded-. An attacker ca...

Server-side Request Forgery (SSRF)

Overview @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request handling pipeline due to improper validation of user-controlled HTTP headers such as Host and X-Forwarded-. An attacker can...