CVE-2026-44437
Severity CVSS v4.0:
MEDIUM
Type:
CWE-22
Path Traversal
Publication date:
13/05/2026
Last modified:
28/05/2026
Description
The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.<br />
When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* | 19.0.0 (including) | 19.2.25 (excluding) |
| cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* | 20.0.0 (including) | 20.3.25 (excluding) |
| cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* | 21.0.0 (including) | 21.2.9 (excluding) |
| cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:* | ||
| cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:angular:angular_cli:22.0.0:next2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:angular:angular_cli:22.0.0:next3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:angular:angular_cli:22.0.0:next4:*:*:*:node.js:*:* | ||
| cpe:2.3:a:angular:angular_cli:22.0.0:next5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:angular:angular_cli:22.0.0:next6:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page



