CVE-2026-54266
CVE-2026-54266 is a medium-severity vulnerability in Angularjs with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-328.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- CVSS v4: 8.8
- EPSS exploit prediction: 0% (1st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38269
- Weakness: CWE-328
- Affected product: Angularjs
- Published:
- Last modified:
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Frequently asked questions
- What is CVE-2026-54266?
- Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering (SSR) so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing request properties (method, response type, mapped URL, serialized body, and sorted query parameters). The cache keys are generated using a weak 32-bit DJB2-like polynomial rolling hash. The 32-bit hash space is extremely small, allowing attackers to find hash collisions. An attacker can easily find a query parameter string (e.g., q=aaCAZMMM for a search request) that produces the exact same 32-bit hash as a sensitive endpoint (e.g., /api/user/profile). When a victim visits a crafted link containing the colliding parameter, the SSR process executes both the search request and the profile request. Due to the hash collision, the search response overwrites the profile response in the TransferState cache. This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
- How severe is CVE-2026-54266?
- CVE-2026-54266 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2026-54266 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-54266?
- CVE-2026-54266 primarily affects Angularjs. In total, 16 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-54266?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-54266 have an EU (EUVD) identifier?
- Yes. CVE-2026-54266 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38269.
- When was CVE-2026-54266 published?
- CVE-2026-54266 was published on 2026-06-22 and last updated on 2026-06-26.
References
- https://github.com/angular/angular/commit/5f36274da3f961430ae72865159afa02a1dd9133
- https://github.com/angular/angular/pull/69153
- https://github.com/angular/angular/security/advisories/GHSA-39pv-4j6c-2g6v
Affected products (16)
- cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*
More vulnerabilities in Angularjs
- CVE-2026-50168 — High (CVSS 8.2): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and…
- CVE-2026-50170 — High (CVSS 7.5): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and…
- CVE-2026-54268 — High (CVSS 7.5): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and…
- CVE-2019-10768 — High (CVSS 7.5): In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of…
- CVE-2026-50556 — Medium (CVSS 6.1): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and…
- CVE-2026-50555 — Medium (CVSS 6.1): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and…
All CVEs affecting Angularjs →
Other CWE-328 vulnerabilities
- CVE-2026-36182 — Critical (CVSS 9.8): GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing…
- CVE-2020-37168 — Critical (CVSS 9.8): Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force…
- CVE-2025-41652 — Critical (CVSS 9.8): The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated…
- CVE-2025-27595 — Critical (CVSS 9.8): The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily…
- CVE-2022-45141 — Critical (CVSS 9.8): Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and…
- CVE-2023-0452 — Critical (CVSS 9.8): Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A…