Source: angular.js
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerability was published for angular.js.

CVE-2026-11998[0]:
| A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows
| bypassing certain SCE policies for resource URLs and can lead to
| arbitrary JavaScript execution within the context of the victim's
| browser session.   SCE's purpose is to ensure that only trusted or
| safe values are used in certain security-sensitive contexts, such as
| resource URLs, including URLs that define executable JavaScript
| scripts, '<iframe>' documents, route templates, etc. A flaw in the
| logic that tries to match entire URLs against regular expression
| matchers can result in partial matches for certain types of regular
| expressions, effectively bypassing the policies and allowing the use
| of unsafe values as resource URLs.   This issue affects AngularJS
| versions greater than or equal to 1.2.0-rc.3.   Note: The AngularJS
| project was already End-of-Life when this CVE was published and will
| not receive any updates to address this issue. For more information
| see the  End-of-Life announcement
| https://docs.angularjs.org/misc/version-support-status .

https://www.herodevs.com/vulnerability-directory/cve-2026-11998?nes-for-angularjs


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-11998
    https://www.cve.org/CVERecord?id=CVE-2026-11998

Please adjust the affected versions in the BTS as needed.

-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to