Angular

A server-side request forgery (SSRF) vulnerability exists in `@angular/platform-server` due to improper processing of the request URL by the server-side rendering engine, allowing attackers to redirect relative HTTP requests to attacker-controlled servers, potentially exposing internal APIs or metadata services; patch CVE-2026-46417 immediately.

A cross-site scripting (XSS) vulnerability exists in Angular versions prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, allowing attackers to execute arbitrary code within the context of the vulnerable application, potentially leading to session hijacking, data exfiltration, and unauthorized actions.