CVE-2026-11998

A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session. SCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs. This issue affects AngularJS versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the End-of-Life announcement https://docs.angularjs.org/misc/version-support-status .

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://codepen.io/herodevs/pen/JobQdmz/5b3896f56fab66f20cd25e698cf3faa8
https://www.herodevs.com/vulnerability-directory/cve-2026-11998
https://www.herodevs.com/vulnerability-directory/cve-2026-11998?nes-for-angularjs

Configurations

No configuration.

History

25 Jun 2026, 14:16

Type	Values Removed	Values Added
References		() https://www.herodevs.com/vulnerability-directory/cve-2026-11998?nes-for-angularjs -

24 Jun 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-24 21:16

Updated : 2026-06-25 20:20

NVD link : CVE-2026-11998

Mitre link : CVE-2026-11998

CVE.ORG link : CVE-2026-11998

JSON object : View

Products Affected

No product.

CWE

CWE-791

Incomplete Filtering of Special Elements

{"id": "CVE-2026-11998", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c"}], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-11998", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-25T13:12:17.669220Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "affected": [{"source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "affectedData": [{"repo": "https://github.com/angular/angular.js", "vendor": "Google", "product": "AngularJS", "versions": [{"status": "affected", "version": ">=1.2.0-rc.3", "versionType": "semver"}], "packageName": "angular", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}]}], "published": "2026-06-24T21:16:52.170", "references": [{"url": "https://codepen.io/herodevs/pen/JobQdmz/5b3896f56fab66f20cd25e698cf3faa8", "source": "36c7be3b-2937-45df-85ea-ca7133ea542c"}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-11998", "source": "36c7be3b-2937-45df-85ea-ca7133ea542c"}, {"url": "https://www.herodevs.com/vulnerability-directory/cve-2026-11998?nes-for-angularjs", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", "description": [{"lang": "en", "value": "CWE-791"}]}], "descriptions": [{"lang": "en", "value": "A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource URLs and can lead to arbitrary JavaScript execution within the context of the victim's browser session.\n\n\nSCE's purpose is to ensure that only trusted or safe values are used in certain security-sensitive contexts, such as resource URLs, including URLs that define executable JavaScript scripts, '<iframe>' documents, route templates, etc. A flaw in the logic that tries to match entire URLs against regular expression matchers can result in partial matches for certain types of regular expressions, effectively bypassing the policies and allowing the use of unsafe values as resource URLs.\n\n\nThis issue affects AngularJS versions greater than or equal to 1.2.0-rc.3.\n\n\nNote:\nThe AngularJS project was already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see the\u00a0 End-of-Life announcement https://docs.angularjs.org/misc/version-support-status ."}], "lastModified": "2026-06-25T20:20:44.730", "sourceIdentifier": "36c7be3b-2937-45df-85ea-ca7133ea542c"}