Source: angular.js X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for angular.js. CVE-2026-11998[0]: | A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows | bypassing certain SCE policies for resource URLs and can lead to | arbitrary JavaScript execution within the context of the victim's | browser session. SCE's purpose is to ensure that only trusted or | safe values are used in certain security-sensitive contexts, such as | resource URLs, including URLs that define executable JavaScript | scripts, '<iframe>' documents, route templates, etc. A flaw in the | logic that tries to match entire URLs against regular expression | matchers can result in partial matches for certain types of regular | expressions, effectively bypassing the policies and allowing the use | of unsafe values as resource URLs. This issue affects AngularJS | versions greater than or equal to 1.2.0-rc.3. Note: The AngularJS | project was already End-of-Life when this CVE was published and will | not receive any updates to address this issue. For more information | see the End-of-Life announcement | https://docs.angularjs.org/misc/version-support-status . https://www.herodevs.com/vulnerability-directory/cve-2026-11998?nes-for-angularjs If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-11998 https://www.cve.org/CVERecord?id=CVE-2026-11998 Please adjust the affected versions in the BTS as needed. -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
