Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-44437

Gravedad CVSS v4.0:
MEDIA
Tipo:
CWE-22 Limitación incorrecta de nombre de ruta a un directorio restringido (Path Traversal)
Fecha de publicación:
13/05/2026
Última modificación:
28/05/2026

Descripción

*** Pendiente de traducción *** The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic.<br /> When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* 19.0.0 (incluyendo) 19.2.25 (excluyendo)
cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* 20.0.0 (incluyendo) 20.3.25 (excluyendo)
cpe:2.3:a:angular:angular_cli:*:*:*:*:*:node.js:*:* 21.0.0 (incluyendo) 21.2.9 (excluyendo)
cpe:2.3:a:angular:angular_cli:22.0.0:next0:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular_cli:22.0.0:next6:*:*:*:node.js:*:*