Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-k83s-kt8k-3uar
Vulnerability ID VCID-k83s-kt8k-3uar
Aliases CVE-2026-41423
GHSA-45q2-gjvg-7973
Summary Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server due to improper handling of URLs during Server-Side Rendering (SSR). When an attacker sends a request such as GET /\evil.com/ HTTP/1.1 the server engine (Express, etc.) passes the URL string to Angular’s rendering functions. Because the URL parser normalizes the backslash to a forward slash for HTTP/HTTPS schemes, the internal state of the application is hijacked to believe the current origin is evil.com. This misinterpretation tricks the application into treating the attacker’s domain as the local origin. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This issue has been patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-918 Server-Side Request Forgery (SSRF)
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00041 https://api.first.org/data/v1/epss?cve=CVE-2026-41423
epss 0.00041 https://api.first.org/data/v1/epss?cve=CVE-2026-41423
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-45q2-gjvg-7973
cvssv4 8.7 https://github.com/angular/angular
generic_textual HIGH https://github.com/angular/angular
cvssv4 8.7 https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412
generic_textual HIGH https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412
ssvc Track https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412
cvssv4 8.7 https://github.com/angular/angular/pull/68194
generic_textual HIGH https://github.com/angular/angular/pull/68194
ssvc Track https://github.com/angular/angular/pull/68194
cvssv3.1_qr HIGH https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
cvssv4 8.7 https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
generic_textual HIGH https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
ssvc Track https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-41423
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-41423
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-41423
https://github.com/angular/angular
https://nvd.nist.gov/vuln/detail/CVE-2026-41423
68194 https://github.com/angular/angular/pull/68194
ede7c58a2aa13fdccc8f0b67ce93ba1c11749412 https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412
GHSA-45q2-gjvg-7973 https://github.com/advisories/GHSA-45q2-gjvg-7973
GHSA-45q2-gjvg-7973 https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:21:41Z/ Found at https://github.com/angular/angular/commit/ede7c58a2aa13fdccc8f0b67ce93ba1c11749412
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular/pull/68194
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:21:41Z/ Found at https://github.com/angular/angular/pull/68194
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:21:41Z/ Found at https://github.com/angular/angular/security/advisories/GHSA-45q2-gjvg-7973
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41423
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.12956
EPSS Score 0.00041
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:51:16.729135+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41423.json 38.6.0