A Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of elements. When rendering dynamic text content inside a element via templa…
| CVE ID | CVE-2026-50556 |
| Vendor | npm |
| Affected Product | @angular/platform-server |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.5 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
A Cross-Site Scripting (XSS) vulnerability exists in @angular/platform-server's DOM emulation dependency (domino) when serializing the content of elements. When rendering dynamic text content inside a element via template bindings (such as {{ value }} or [textContent]), the template engine expects the browser to render the content safely. Under Server-Side Rendering (SSR), domino is configured with scripting enabled, meaning is treated as a raw-text element. However, domino's serializer completely omitted from the list of raw-text elements requiring closing-tag escaping during DOM serialization. As a result, any occurrence of in the bound dynamic text was never escaped under any circumstances. The unescaped closing tag was serialized directly into the ou
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.