Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40nguniversal/express-engine@5.0.0-beta.7
Typenpm
Namespace@nguniversal
Nameexpress-engine
Version5.0.0-beta.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-hbzh-5vsc-a3gn
vulnerability_id VCID-hbzh-5vsc-a3gn
summary The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the destination domain. Specifically, the framework didn't have checks for the host domain, path and character sanitization, and port validation. This vulnerability manifests in two primary ways: implicit relative URL resolution and explicit manual construction. When successfully exploited, this vulnerability allows for arbitrary internal request steering. This can lead to credential exfiltration, internal network probing, and a confidentiality breach. In order to be vulnerable, the victim application must use Angular SSR (Server-Side Rendering), the application must perform `HttpClient` requests using relative URLs OR manually construct URLs using the unvalidated `Host` / `X-Forwarded-*` headers using the `REQUEST` object, the application server must be reachable by an attacker who can influence these headers without strict validation from a front-facing proxy, and the infrastructure (Cloud, CDN, or Load Balancer) must not sanitize or validate incoming headers. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Some workarounds are available. Avoid using `req.headers` for URL construction. Instead, use trusted variables for base API paths. Those who cannot upgrade immediately should implement a middleware in their `server.ts` to enforce numeric ports and validated hostnames.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-27739
reference_id
reference_type
scores
0
value 0.00061
scoring_system epss
scoring_elements 0.19453
published_at 2026-06-11T12:55:00Z
1
value 0.00061
scoring_system epss
scoring_elements 0.19622
published_at 2026-06-14T12:55:00Z
2
value 0.00061
scoring_system epss
scoring_elements 0.19627
published_at 2026-06-12T12:55:00Z
3
value 0.00061
scoring_system epss
scoring_elements 0.19649
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-27739
1
reference_url https://github.com/angular/angular-cli
reference_id
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/angular/angular-cli
2
reference_url https://github.com/angular/angular-cli/pull/32516
reference_id 32516
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/
url https://github.com/angular/angular-cli/pull/32516
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27739
reference_id CVE-2026-27739
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-27739
4
reference_url https://github.com/advisories/GHSA-x288-3778-4hhx
reference_id GHSA-x288-3778-4hhx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x288-3778-4hhx
5
reference_url https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx
reference_id GHSA-x288-3778-4hhx
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/
url https://github.com/angular/angular-cli/security/advisories/GHSA-x288-3778-4hhx
6
reference_url https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
reference_id security#preventing-server-side-request-forgery-ssrf
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/
url https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf
7
reference_url https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF
reference_id SSRF
reference_type
scores
0
value 9.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-27T17:59:01Z/
url https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF
fixed_packages
aliases CVE-2026-27739, GHSA-x288-3778-4hhx
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hbzh-5vsc-a3gn
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540nguniversal/express-engine@5.0.0-beta.7