Security Advisory - Published 2026-06-25 - AngularJS

AngularJS CVE-2026-11998: review SCE resource URL policies in legacy apps

CVE-2026-11998 affects AngularJS resource URL trust decisions in legacy apps using Strict Contextual Escaping. AngularJS is end-of-life, so the fix path is to review trust rules now and plan migration instead of waiting for an upstream patch.

Defensive scope: review your own legacy AngularJS codebase. This page does not include bypass strings or browser-side test cases.

CVE summary

CVEProductAreaCVSS
CVE-2026-11998AngularJSSCE resource URLs7.6

Owner self-check

rg -n \"angular\\.module|angularjs|ngSanitize|\\$sce|resourceUrlWhitelist|trustedResourceUrlList|iframe|ng-include|templateUrl\" .
rg -n \"angular(@|/)1\\.|angular.js|angular.min.js\" package.json package-lock.json yarn.lock pnpm-lock.yaml public src 2>/dev/null

What to review

  • AngularJS versions at or after 1.2.0-rc.3, including vendored angular.js files.
  • SCE trusted resource URL allow-lists, iframe sources, script/template URLs, and ng-include usage.
  • Routes where editors, tenants, customers, or CMS content can influence resource URLs.
  • Legacy admin panels that load user-controlled templates, widgets, or embedded content.

Safe fix path

  1. Remove broad resource URL patterns and use explicit trusted host/path allow-lists.
  2. Move user-controlled URLs out of SCE-sensitive contexts where possible.
  3. Put legacy AngularJS apps behind stronger authentication and content review while migration is planned.
  4. Plan migration away from AngularJS because the upstream project is end-of-life.

Repair help

Use Ping7 CVE Repair when a legacy AngularJS app has complex SCE rules, customer-edited embeds, or admin screens that need review.

References

Author: Ping7 security team - Published: 2026-06-25 - AngularJS CVE - Defensive self-check only.