{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T20:59:08.462","vulnerabilities":[{"cve":{"id":"CVE-2026-27738","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T17:25:40.463","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` header, an attacker can provide a value starting with three slashes. This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking. In order to be vulnerable, the application must use Angular SSR, the application must have routes that perform internal redirects, the infrastructure (Reverse Proxy/CDN) must pass the `X-Forwarded-Prefix` header to the SSR process without sanitization, and the cache must not vary on the `X-Forwarded-Prefix` header. Versions 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 contain a patch. Until the patch is applied, developers should sanitize the `X-Forwarded-Prefix` header in their`server.ts` before the Angular engine processes the request."},{"lang":"es","value":"El Angular SSR es una herramienta de renderizado del lado del servidor para aplicaciones Angular. Una vulnerabilidad de redirección abierta existe en la lógica interna de procesamiento de URL en versiones de la rama 19.x anteriores a la 19.2.21, la rama 20.x anteriores a la 20.3.17, y la rama 21.x anteriores a la 21.1.5 y 21.2.0-rc.1. La lógica normaliza los segmentos de URL eliminando las barras iniciales; sin embargo, solo elimina una única barra inicial. Cuando una aplicación Angular SSR se despliega detrás de un proxy que pasa el encabezado `X-Forwarded-Prefix`, un atacante puede proporcionar un valor que comienza con tres barras. Esta vulnerabilidad permite a los atacantes realizar phishing a gran escala y secuestro de SEO. Para ser vulnerable, la aplicación debe usar Angular SSR, la aplicación debe tener rutas que realicen redirecciones internas, la infraestructura (Proxy Inverso/CDN) debe pasar el encabezado `X-Forwarded-Prefix` al proceso SSR sin sanitización, y la caché no debe variar según el encabezado `X-Forwarded-Prefix`. Las versiones 21.2.0-rc.1, 21.1.5, 20.3.17 y 19.2.21 contienen un parche. Hasta que se aplique el parche, los desarrolladores deben sanear el encabezado `X-Forwarded-Prefix` en su 'server.ts' antes de que el motor de Angular procese la solicitud."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-601"}]}],"references":[{"url":"https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9faec7e","source":"security-advisories@github.com"},{"url":"https://github.com/angular/angular-cli/issues/32501","source":"security-advisories@github.com"},{"url":"https://github.com/angular/angular-cli/pull/32521","source":"security-advisories@github.com"},{"url":"https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj","source":"security-advisories@github.com"},{"url":"https://github.com/angular/angular-cli/issues/32501","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}]}