CVE-2026-33397 Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in @angular/ssr due to an incomplete fix for CVE-2026-27738. Whil...

CVE-2026-33397 Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in @angular/ssr due to an incomplete fix for CVE-2026-27738. Whil...

CVE-2026-33397 Angular SSR Vulnerable to Protocol-Relative URL Injection via Single Backslash Bypass

The Angular SSR is a server-rise rendering tool for Angular applications. Versions on the 22.x branch prior to 22.0.0-next.2, the 21.x branch prior to 21.2.3, and the 20.x branch prior to 20.3.21 have an Open Redirect vulnerability in @angular/ssr due to an incomplete fix for CVE-2026-27738. Whil...

CVE-2026-33397

The CVE concerns Angular SSR bottleneck/open-redirect in @angular/ssr. Affected series: 22.x before 22.0.0-next.2, 21.x before 21.2.3, and 20.x before 20.3.21, with a patch included in 22.0.0-next.2, 21.2.3, and 20.3.21. Root cause: incomplete fix for CVE-2026-27738 where a single backslash in X-...

Cross-site Scripting (XSS)

Angular is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to internationalization of security-sensitive attributes bypassing Angular’s sanitization when combined with untrusted data binding, which allows an attacker to inject malicious scripts...

Angular 输入验证错误漏洞

Angular is an open-source development platform created by Angular. It is used to build mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions of Angular prior to 22.0.0-next.2, 21.2.3, and 20.3.21 have a vulnerability related to input validation errors. This...

org.webjars.npm:angular-devkit__architect (=0.1902.8), org.webjars.npm:angular-devkit__core (=19.2.8) +2 more potentially affected by CVE-2026-33672 via org.webjars.npm:picomatch (=4.0.2)

org.webjars.npm:picomatch MAVEN version =4.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:picomatch and may be impacted: - org.webjars.npm:angular-devkitarchitect =0.1902.8 - org.webjars.npm:angular-devkitcore =19.2.8 -...

4itech-schematics (>=11.3.0 <=11.7.0-5), @4itech/schematics (=11.7.0) +72 more potentially affected by CVE-2026-33672 via picomatch (=3.0.1)

picomatch NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on picomatch and may be impacted: - 4itech-schematics =11.3.0, =10.0.0-alpha.1, =10.0.0-alpha.1, =10.0.0-alpha.1, =0.1700.0, =0.1700.0, =17.0.0, =0.1700.0, =17.0.0, =17.0.0,...

4itech-schematics (>=11.3.0 <=11.7.0-5), @4itech/schematics (=11.7.0) +72 more potentially affected by CVE-2026-33672 via picomatch (=3.0.1)

picomatch NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on picomatch and may be impacted: - 4itech-schematics =11.3.0, =10.0.0-alpha.1, =10.0.0-alpha.1, =10.0.0-alpha.1, =0.1700.0, =0.1700.0, =17.0.0, =0.1700.0, =17.0.0, =17.0.0,...

4itech-schematics (>=11.3.0 <=11.7.0-5), @4itech/schematics (=11.7.0) +72 more potentially affected by CVE-2026-33671 via picomatch (=3.0.1)

picomatch NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on picomatch and may be impacted: - 4itech-schematics =11.3.0, =10.0.0-alpha.1, =10.0.0-alpha.1, =10.0.0-alpha.1, =0.1700.0, =0.1700.0, =17.0.0, =0.1700.0, =17.0.0, =17.0.0,...

org.webjars.npm:angular-devkit__architect (=0.1902.8), org.webjars.npm:angular-devkit__core (=19.2.8) +2 more potentially affected by CVE-2026-33671 via org.webjars.npm:picomatch (=4.0.2)

org.webjars.npm:picomatch MAVEN version =4.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:picomatch and may be impacted: - org.webjars.npm:angular-devkitarchitect =0.1902.8 - org.webjars.npm:angular-devkitcore =19.2.8 -...

4itech-schematics (>=11.3.0 <=11.7.0-5), @4itech/schematics (=11.7.0) +72 more potentially affected by CVE-2026-33671 via picomatch (=3.0.1)

picomatch NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on picomatch and may be impacted: - 4itech-schematics =11.3.0, =10.0.0-alpha.1, =10.0.0-alpha.1, =10.0.0-alpha.1, =0.1700.0, =0.1700.0, =17.0.0, =0.1700.0, =17.0.0, =17.0.0,...

Cross-site Scripting (XSS)

@angular/compiler is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to an incomplete security schema in the template compiler that fails to properly classify certain URL attributes, which allows an attacker to bypass sanitization and inject malicious scripts...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +26 more potentially affected by CVE-2026-33490 via h3 (>=2.0.1-rc.11 <=2.0.1-rc.16)

h3 NPM version =2.0.1-rc.11, =2.4.0-alpha.2, =3.23.1-20260131-121433-34f631e, =0.15.0, =1.154.7, =0.0.1, =1.154.7, =1.154.7, =1.154.7, =2.0.0-beta.17 and more Source cves: CVE-2026-33490 Source advisory: SNYK:JS-H3-15745916...

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes e.g., ///, the internal validation logic fails to account for a single backslash \ bypass. When an Angular SSR application is...

@hmcts/media-viewer (>=4.2.16-exui-4425 <=4.2.16-exui-4425-rel1) potentially affected by CVE-2026-33397 via @angular/ssr (=20.3.18)

@angular/ssr NPM version =20.3.18 is affected by a known vulnerability. The following packages have a transitive dependency on @angular/ssr and may be impacted: - @hmcts/media-viewer =4.2.16-exui-4425, =4.2.16-exui-4425-rel1 Source cves: CVE-2026-33397 Source advisory: OSV:GHSA-VFX2-HV2G-XJ5F...

Open Redirect

Overview @angular/ssr is a the Angular server side rendering utilities. Affected versions of this package are vulnerable to Open Redirect via the internal URL processing logic when handling the X-Forwarded-Prefix header. An attacker can cause users to be redirected to arbitrary external domains b...

@jamelyassin/shadcn-angular (>=1.0.3 <=1.0.4), @keycloakify/angular-email (>=1.1.0 <=1.1.5) +11 more potentially affected by CVE-2026-33397 via @angular/ssr (>=21.1.2 <=21.2.10)

@angular/ssr NPM version =21.1.2, =1.0.3, =1.1.0, =1.0.0, =0.0.2, =0.5.0, =0.1.2, =1.0.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33397 Source advisory: OSV:GHSA-VFX2-HV2G-XJ5F...

@hmcts/media-viewer (>=4.2.16-exui-4425 <=4.2.16-exui-4425-rel1) potentially affected by CVE-2026-27738 +1 more via @angular/ssr (=20.3.18)

@angular/ssr NPM version =20.3.18 is affected by a known vulnerability. The following packages have a transitive dependency on @angular/ssr and may be impacted: - @hmcts/media-viewer =4.2.16-exui-4425, =4.2.16-exui-4425-rel1 Source cves: CVE-2026-27738, CVE-2026-33397 Source advisory:...

@jamelyassin/shadcn-angular (>=1.0.3 <=1.0.4), @keycloakify/angular-email (>=1.1.0 <=1.1.5) +11 more potentially affected by CVE-2026-27738 +1 more via @angular/ssr (>=21.1.2 <=21.2.10)

@angular/ssr NPM version =21.1.2, =1.0.3, =1.1.0, =1.0.0, =0.0.2, =0.5.0, =0.1.2, =1.0.0, =1.0.0, =1.0.2 Source cves: CVE-2026-27738, CVE-2026-33397 Source advisory: SNYK:JS-ANGULARSSR-15701178...