CVE-2026-46417

UNKNOWN 0.0

Angular: SSRF via Hostname Hijacking in @angular/platform-server

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

CWE	CWE-918
Vendor	angular
Product	angular
Published	Jun 22, 2026
Last Updated	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for angular angular

Be the first to know when new unknown vulnerabilities affecting angular angular are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

angular / angular

>= 22.0.0-next.0, < 22.0.0-next.12 >= 21.0.0-next.0, < 21.2.13 >= 20.0.0-next.0, < 20.3.21 >= 19.0.0-next.0, < 19.2.22 <= 18.2.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v github.com: https://github.com/angular/angular/pull/68570