CVE-2026-54267

Source
https://cve.org/CVERecord?id=CVE-2026-54267
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54267.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54267
Aliases
Downstream
Published
2026-06-22T15:30:48.699Z
Modified
2026-07-08T08:10:43.053446100Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Angular Client Hydration DOM Clobbering & Response-Cache Poisoning
Details

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, to optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via provideClientHydration(). During SSR, Angular serializes the application's runtime state (such as cached HttpClient responses) and outputs it into the HTML stream as a <script> tag with a predictable identifier. During client bootstrap, Angular recovers this state by looking up the element via document.getElementById('ng-state') and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector (ng-state), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as id (e.g., <div [id]="userInput"> or <a id="ng-state">) before the genuine <script> tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls document.getElementById('ng-state'), the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54267.json",
    "cwe_ids": [
        "CWE-471",
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": ">= 22.0.0-next.0 < 22.0.1"
                },
                {
                    "last_affected": ">= 22.0.0-next.0 < 22.0.1"
                },
                {
                    "introduced": ">= 21.0.0-next.0 < 21.2.17"
                },
                {
                    "last_affected": ">= 21.0.0-next.0 < 21.2.17"
                },
                {
                    "introduced": ">= 20.0.0-next.0 < 20.3.25"
                },
                {
                    "last_affected": ">= 20.0.0-next.0 < 20.3.25"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/angular/angular

Affected ranges

Type
GIT
Repo
https://github.com/angular/angular
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*",
        "cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "19.2.25"
        },
        {
            "introduced": "20.0.0"
        },
        {
            "fixed": "20.3.25"
        },
        {
            "introduced": "21.0.0"
        },
        {
            "fixed": "21.2.17"
        },
        {
            "introduced": "22.0.0-next0"
        },
        {
            "last_affected": "22.0.0-next0"
        },
        {
            "introduced": "22.0.0-next1"
        },
        {
            "last_affected": "22.0.0-next1"
        },
        {
            "introduced": "22.0.0-next10"
        },
        {
            "last_affected": "22.0.0-next10"
        },
        {
            "introduced": "22.0.0-next11"
        },
        {
            "last_affected": "22.0.0-next11"
        },
        {
            "introduced": "22.0.0-next12"
        },
        {
            "last_affected": "22.0.0-next12"
        },
        {
            "introduced": "22.0.0-next2"
        },
        {
            "last_affected": "22.0.0-next2"
        },
        {
            "introduced": "22.0.0-next3"
        },
        {
            "last_affected": "22.0.0-next3"
        },
        {
            "introduced": "22.0.0-next4"
        },
        {
            "last_affected": "22.0.0-next4"
        },
        {
            "introduced": "22.0.0-next5"
        },
        {
            "last_affected": "22.0.0-next5"
        },
        {
            "introduced": "22.0.0-next6"
        },
        {
            "last_affected": "22.0.0-next6"
        },
        {
            "introduced": "22.0.0-next7"
        },
        {
            "last_affected": "22.0.0-next7"
        },
        {
            "introduced": "22.0.0-next8"
        },
        {
            "last_affected": "22.0.0-next8"
        },
        {
            "introduced": "22.0.0-next9"
        },
        {
            "last_affected": "22.0.0-next9"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ]
}

Affected versions

10.*
10.0.0-next.0
10.0.0-next.1
10.0.0-next.2
10.0.0-next.3
10.0.0-next.4
10.0.0-next.5
10.0.0-next.6
10.0.0-next.7
10.0.0-next.8
10.0.0-next.9
10.0.0-rc.0
10.1.0-next.0
10.1.0-next.1
10.1.0-next.2
10.1.0-next.3
10.1.0-next.4
10.1.0-next.5
10.1.0-next.6
10.1.0-next.7
10.1.0-next.8
10.1.0-rc.0
11.*
11.0.0-next.0
11.0.0-next.1
11.0.0-next.2
11.0.0-next.3
11.0.0-next.4
11.0.0-next.5
11.0.0-next.6
11.1.0-next.0
11.1.0-next.1
11.1.0-next.2
11.1.0-next.3
11.1.0-next.4
12.*
12.0.0-next.0
12.0.0-next.1
12.0.0-next.2
12.0.0-next.3
12.0.0-next.4
12.0.0-next.5
12.0.0-next.6
12.0.0-next.7
12.0.0-next.8
12.1.0
12.1.0-next.2
12.1.0-next.3
12.1.0-next.4
12.1.0-next.5
12.1.0-next.6
12.2.0-next.0
12.2.0-next.1
12.2.0-next.2
12.2.0-next.3
13.*
13.0.0-next.0
13.0.0-next.1
13.0.0-next.10
13.0.0-next.11
13.0.0-next.12
13.0.0-next.13
13.0.0-next.14
13.0.0-next.2
13.0.0-next.3
13.0.0-next.4
13.0.0-next.5
13.0.0-next.6
13.0.0-next.7
13.0.0-next.8
13.0.0-next.9
13.1.0-next.0
13.1.0-next.1
13.1.0-next.2
13.1.0-next.3
13.2.0-next.0
13.2.0-next.1
13.2.0-next.2
14.*
14.0.0-next.0
14.0.0-next.1
14.0.0-next.10
14.0.0-next.11
14.0.0-next.12
14.0.0-next.13
14.0.0-next.14
14.0.0-next.15
14.0.0-next.2
14.0.0-next.3
14.0.0-next.4
14.0.0-next.5
14.0.0-next.6
14.0.0-next.7
14.0.0-next.8
14.0.0-next.9
14.1.0-next.0
14.1.0-next.1
14.1.0-next.2
14.1.0-next.3
14.1.0-next.4
14.2.0-next.0
14.2.0-next.1
15.*
15.0.0-next.0
15.0.0-next.1
15.0.0-next.2
15.0.0-next.3
15.0.0-next.4
15.0.0-next.5
15.1.0-next.0
15.1.0-next.1
15.1.0-next.2
15.1.0-next.3
15.2.0-next.0
15.2.0-next.1
15.2.0-next.2
15.2.0-next.3
15.2.0-next.4
16.*
16.0.0-next.0
16.0.0-next.1
16.0.0-next.2
16.0.0-next.3
16.0.0-next.4
16.0.0-next.5
16.0.0-next.6
16.1.0-next.0
16.1.0-next.1
16.1.0-next.2
16.1.0-next.3
16.2.0-next.0
16.2.0-next.1
16.2.0-next.2
16.2.0-next.3
16.2.0-next.4
17.*
17.0.0-next.0
17.0.0-next.1
17.0.0-next.2
17.0.0-next.3
17.0.0-next.4
17.0.0-next.5
17.0.0-next.6
17.0.0-next.7
17.1.0-next.0
17.1.0-next.1
17.1.0-next.2
17.1.0-next.3
17.1.0-next.4
17.1.0-next.5
17.2.0-next.0
17.2.0-next.1
17.3.0-next.0
17.3.0-next.1
18.*
18.0.0-next.0
18.0.0-next.1
18.0.0-next.2
18.0.0-next.3
18.0.0-next.4
18.0.0-next.5
18.1.0-next.0
18.1.0-next.1
18.1.0-next.2
18.1.0-next.3
18.1.0-next.4
18.2.0-next.0
18.2.0-next.1
18.2.0-next.2
18.2.0-next.3
18.2.0-next.4
19.*
19.0.0-next.0
19.0.0-next.1
19.0.0-next.10
19.0.0-next.2
19.0.0-next.3
19.0.0-next.4
19.0.0-next.5
19.0.0-next.6
19.0.0-next.7
19.0.0-next.8
19.0.0-next.9
19.1.0-next.0
19.1.0-next.1
19.1.0-next.2
19.1.0-next.3
19.1.0-next.4
19.2.0-next.0
19.2.0-next.1
19.2.0-next.2
19.2.0-next.3
2.*
2.0.0
2.0.0-alpha.13
2.0.0-alpha.14
2.0.0-alpha.15
2.0.0-alpha.17
2.0.0-alpha.18
2.0.0-alpha.19
2.0.0-alpha.20
2.0.0-alpha.21
2.0.0-alpha.22
2.0.0-alpha.23
2.0.0-alpha.24
2.0.0-alpha.25
2.0.0-alpha.26
2.0.0-alpha.27
2.0.0-alpha.28
2.0.0-alpha.29
2.0.0-alpha.30
2.0.0-alpha.31
2.0.0-alpha.32
2.0.0-alpha.33
2.0.0-alpha.34
2.0.0-alpha.35
2.0.0-alpha.40
2.0.0-alpha.41
2.0.0-alpha.42
2.0.0-alpha.44
2.0.0-alpha.47
2.0.0-alpha.48
2.0.0-alpha.49
2.0.0-alpha.50
2.0.0-alpha.51
2.0.0-alpha.52
2.0.0-alpha.53
2.0.0-alpha.54
2.0.0-alpha.55
2.0.0-beta.0
2.0.0-beta.11
2.0.0-beta.12
2.0.0-beta.13
2.0.0-beta.14
2.0.0-beta.16
2.0.0-beta.17
2.0.0-beta.6
2.0.0-beta.7
2.0.0-beta.8
2.0.0-rc.0
2.0.0-rc.1
2.0.0-rc.2
2.0.0-rc.3
2.0.0-rc.4
2.0.0-rc.5
2.0.0-rc.6
2.0.0-rc.7
2.1.0
2.1.0-beta.0
2.1.0-rc.0
2.2.0
2.2.0-beta.0
2.2.0-beta.1
2.2.0-rc.0
2.3.0
2.3.0-beta.0
2.3.0-rc.0
2.4.0-marker
20.*
20.0.0-next.0
20.0.0-next.1
20.0.0-next.2
20.0.0-next.3
20.0.0-next.4
20.0.0-next.5
20.0.0-next.6
20.0.0-next.7
20.0.0-next.8
20.1.0-next.0
20.1.0-next.1
20.1.0-next.2
20.1.0-next.3
20.2.0
20.2.0-next.0
20.2.0-next.1
20.2.0-next.2
20.2.0-next.3
20.2.0-next.4
20.2.0-next.5
20.2.0-next.6
20.2.0-rc.0
20.2.0-rc.1
20.2.1
20.2.2
20.2.3
20.2.4
20.3.0
20.3.0-rc.0
20.3.1
20.3.10
20.3.11
20.3.12
20.3.13
20.3.14
20.3.15
20.3.2
20.3.3
20.3.4
20.3.5
20.3.6
20.3.7
20.3.8
20.3.9
21.*
21.0.0-next.0
21.0.0-next.1
21.0.0-next.2
21.0.0-next.3
21.0.0-next.4
21.0.0-next.5
21.0.0-next.6
21.0.0-next.7
21.0.0-next.8
21.1.0-next.0
21.1.0-next.1
22.*
22.0.0-next0
22.0.0-next1
22.0.0-next10
22.0.0-next11
22.0.0-next12
22.0.0-next2
22.0.0-next3
22.0.0-next4
22.0.0-next5
22.0.0-next6
22.0.0-next7
22.0.0-next8
22.0.0-next9
4.*
4.0.0
4.0.0-beta.0
4.0.0-beta.1
4.0.0-beta.2
4.0.0-beta.3
4.0.0-beta.5
4.0.0-beta.6
4.0.0-beta.7
4.0.0-beta.8
4.0.0-rc.1
4.0.0-rc.2
4.0.0-rc.3
4.0.0-rc.4
4.0.0-rc.5
4.0.0-rc.6
4.1.0
4.1.0-beta.0
4.1.0-beta.1
4.1.0-rc.0
4.2.0-beta.0
4.2.0-rc.0
4.2.0-rc.1
4.2.0-rc.2
4.2.1
4.3.0
4.3.0-beta.0
4.3.0-beta.1
4.3.0-rc.0
5.*
5.0.0-beta.0
5.0.0-beta.1
5.0.0-beta.2
5.0.0-beta.3
5.0.0-beta.4
5.0.0-beta.5
5.0.0-beta.6
5.0.0-beta.7
5.0.0-rc.0
5.0.0-rc.1
5.0.0-rc.2
5.0.0-rc.3
5.0.0-rc.4
5.1.0
5.1.0-beta.0
5.1.0-beta.1
5.1.0-beta.2
5.1.0-rc.0
5.1.0-rc.1
5.2.0
5.2.0-beta.0
5.2.0-beta.1
5.2.0-rc.0
6.*
6.0.0-beta.0
6.0.0-beta.1
6.0.0-beta.2
6.0.0-beta.3
6.0.0-beta.4
6.0.0-beta.6
6.0.0-beta.7
6.0.0-beta.8
6.0.0-rc.0
6.0.0-rc.1
6.0.0-rc.2
6.0.0-rc.3
6.0.0-rc.4
6.0.0-rc.5
6.1.0
6.1.0-beta.0
6.1.0-beta.1
6.1.0-beta.2
6.1.0-beta.3
6.1.0-rc.3
7.*
7.0.0-beta.0
7.0.0-beta.1
7.0.0-beta.2
7.0.0-beta.3
7.0.0-beta.4
7.0.0-beta.5
7.0.0-beta.6
7.0.0-beta.7
7.0.0-rc.0
7.0.0-rc.1
7.1.0
7.1.0-beta.0
7.1.0-beta.1
7.1.0-beta.2
7.1.0-rc.0
7.2.0
7.2.0-beta.1
7.2.0-beta.2
7.2.0-rc.0
8.*
8.0.0-beta.0
8.0.0-beta.1
8.0.0-beta.10
8.0.0-beta.11
8.0.0-beta.12
8.0.0-beta.13
8.0.0-beta.14
8.0.0-beta.2
8.0.0-beta.3
8.0.0-beta.4
8.0.0-beta.5
8.0.0-beta.6
8.0.0-beta.7
8.0.0-beta.8
8.0.0-beta.9
8.0.0-rc.0
8.1.0-beta.0
8.1.0-next.1
8.1.0-next.2
8.1.0-next.3
8.1.0-rc.0
8.2.0-next.0
8.2.0-next.1
8.2.0-next.2
9.*
9.0.0-next.0
9.0.0-next.1
9.0.0-next.10
9.0.0-next.11
9.0.0-next.12
9.0.0-next.13
9.0.0-next.14
9.0.0-next.15
9.0.0-next.2
9.0.0-next.3
9.0.0-next.4
9.0.0-next.5
9.0.0-next.6
9.0.0-next.7
9.0.0-next.8
9.0.0-next.9
9.0.0-rc.0
9.0.0-rc.1
9.1.0-next.0
9.1.0-next.1
9.1.0-next.2
9.1.0-next.4
9.1.0-next.5
9.1.0-rc.0
ngcontainer_0.*
ngcontainer_0.3.0
ngcontainer_0.3.1
ngcontainer_0.3.2
ngcontainer_0.3.3
ngcontainer_0.4.0
ngcontainer_0.5.0
Other
patch_sync
v20.*
v20.3.16
v20.3.17
v20.3.18
v20.3.19
v20.3.20
v20.3.21
v20.3.22
v20.3.23
v20.3.24
v21.*
v21.1.0-next.2
v21.1.0-next.3
v21.1.0-next.4
v21.2.0
v21.2.0-next.0
v21.2.0-next.1
v21.2.0-next.2
v21.2.0-next.3
v21.2.0-rc.0
v21.2.1
v21.2.10
v21.2.11
v21.2.12
v21.2.13
v21.2.14
v21.2.15
v21.2.16
v21.2.2
v21.2.3
v21.2.4
v21.2.5
v21.2.6
v21.2.7
v21.2.8
v21.2.9
v22.*
v22.0.0-next.0
v22.0.0-next.1
v22.0.0-next.10
v22.0.0-next.2
v22.0.0-next.3
v22.0.0-next.4
v22.0.0-next.5
v22.0.0-next.6
v22.0.0-next.7
v22.0.0-next.8
v22.0.0-next.9
vsix-21.*
vsix-21.2.0
vsix-21.2.1
vsix-21.2.2
vsix-21.2.3
vsix-21.2.4
vsix-included-21.*
vsix-included-21.2.4
zone.*
zone.js-0.10.0
zone.js-0.10.1
zone.js-0.10.2
zone.js-0.10.3
zone.js-0.11.0
zone.js-0.11.2
zone.js-0.11.3
zone.js-0.11.4
zone.js-0.11.5
zone.js-0.11.6
zone.js-0.11.7
zone.js-0.11.8
zone.js-0.12.0
zone.js-0.13.0
zone.js-0.13.1
zone.js-0.13.2
zone.js-0.13.3
zone.js-0.14.0
zone.js-0.14.1
zone.js-0.14.10
zone.js-0.14.2
zone.js-0.14.3
zone.js-0.14.4
zone.js-0.14.5
zone.js-0.14.6
zone.js-0.14.7
zone.js-0.14.8
zone.js-0.15.0
zone.js-0.15.1
zone.js-0.16.0
zone.js-0.16.2
zone.js-0.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54267.json"