Angular SSR Flaw Enables SSRF via Malformed URLs in Server-Side Rendering
Angular disclosed a server-side request forgery (SSRF) issue in @angular/platform-server that affects applications using Server-Side Rendering. The flaw, tracked as CVE-2026-41423, stems from improper handling of protocol-relative and backslash-based URLs passed from server engines such as Express into Angular rendering functions. A crafted request can cause Angular to treat an attacker-controlled domain as the application's origin, allowing relative HttpClient requests and PlatformLocation.hostname references to resolve to external infrastructure.
The issue can expose internal services, including private APIs and cloud metadata endpoints, and related advisory material also links the bug family to header injection risks in Angular SSR deployments. Angular fixed the vulnerability in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, leaving earlier releases vulnerable where SSR is enabled and untrusted request paths can influence rendering context.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Angular patches CVE-2026-41423 in multiple release branches
Angular fixed an SSRF flaw in @angular/platform-server caused by improper handling of protocol-relative and backslash URLs in SSR contexts. The issue was patched in versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8.
Angular discloses SSRF and header injection advisory for Angular SSR
A GitHub security advisory was published for Angular SSR describing SSRF and header injection issues affecting Angular server-side rendering. The advisory is associated with angular/angular-cli.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-41423 - Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
cvefeed.io
Open sourceSSRF and Header Injection in Angular SSR · Advisory · angular/angular-cli · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Stored XSS Vulnerability in Angular via SVG and MathML Bypass
A high-severity vulnerability, tracked as CVE-2025-66412, has been discovered in the Angular framework, allowing stored cross-site scripting (XSS) attacks through SVG animation, SVG URL, and MathML attributes. The flaw exists in the Angular Template Compiler, where the internal security schema fails to properly classify certain URL-holding attributes as requiring strict URL security, enabling attackers to inject malicious scripts that bypass Angular's built-in sanitization. This vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17, and has been addressed in these subsequent releases. Attackers exploiting this vulnerability can persistently inject malicious JavaScript into web applications built with vulnerable Angular versions, potentially compromising user data and session integrity. Organizations using Angular are strongly advised to update to the fixed versions to mitigate the risk of exploitation. The vulnerability is remotely exploitable and has been rated as high severity, with a CVSS 4.0 score of 8.5, underscoring the urgency for prompt remediation.
Mar 21, 2026
SocialEngine Blind SSRF in `/core/link/preview` Fixed in Version 8.0.0
A public advisory disclosed **CVE-2026-41461**, a blind server-side request forgery flaw in SocialEngine affecting **7.8.0**, **7.7.0**, and likely earlier versions. The vulnerability stems from improper sanitization of the `uri` parameter in the `/core/link/preview` endpoint, allowing an authenticated remote attacker to make the SocialEngine server issue HTTP requests to internal or arbitrary destinations, including localhost-accessible services. The issue was discovered by **Egidio Romano**. The vendor was notified in February 2026, but the flaw remained present in SocialEngine **7.8.0** and no official fix was available at the time of public disclosure after the 60-day window. SocialEngine later released **version 8.0.0**, and the researcher confirmed that release properly remediated the SSRF issue. The disclosure indicates the bug could be abused for internal network reachability and server-side request pivoting from authenticated accounts.
May 25, 2026
React Router Flaws Expose Servers to RCE, XSS, and DoS
Multiple vulnerabilities were disclosed in the widely used React Router `npm` package, including a reported remote code execution issue tracked as **CVE-2026-42211** that researchers said could allow unauthenticated attackers to gain shell access when chained with an existing prototype pollution weakness. Additional flaws include **CVE-2026-33245**, a client-side cross-site scripting bug in redirect handling for applications using unstable React Server Components APIs, plus **CVE-2026-34077** and **CVE-2026-42342**, two denial-of-service issues tied to serialization and manifest endpoint performance that can crash or degrade backend services. The XSS issue affects React Router versions `7.7.0` through `7.13.1` when redirects originate from untrusted sources and use `javascript:` targets; applications not using the unstable RSC APIs or running in standard Declarative Mode are not impacted. Maintainers patched **CVE-2026-33245** in React Router `7.13.2`, while broader mitigation for the full set of reported issues requires upgrading to React Router `7.15.0` or Remix `2.17.5`.
Jun 4, 2026