CVE-2026-44437

6.1 MEDIUM

The Angular SSR is a server-rise rendering tool for Angular applications

Published: 2026-05-13 · Last updated: 2026-05-28

Severity and scoring

CVSS: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-22, CWE-601

Affected products

Vendor	Product
angular	angular_cli

Description

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44437
[Patch]https://github.com/angular/angular-cli/pull/33031
[Vendor advisory]https://github.com/angular/angular-cli/security/advisories/GHSA-69xr-m8h6-h664

Related CVEs

Same vendor

CVE-2026-22610 — Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages (6.1 MEDIUM)
CVE-2025-66412 — Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages (5.4 MEDIUM)

Same CWE

CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)
CVE-2026-49766 — Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions (9.9 CRITICAL)
CVE-2026-49061 — Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions (7.5 HIGH)
CVE-2026-40779 — Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions (7.7 HIGH)