Open Redirect in Angular Angular-cli

CVE-2026-27738

The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the…

Vulnerability class: Open Redirect

EPSS: 0.001 (19.4th percentile) — read the EPSS interpretation.

Affected products

Angular Angular-cli — versions >= 21.2.0-next.2, < 21.2.0-rc.0, >= 21.0.0-next.0, < 21.1.5, >= 20.0.0-next.0, < 20.3.17

Weakness classification (CWE)

CWE-601 — URL Redirection to Untrusted Site (Open Redirect)

References

https://github.com/angular/angular-cli/security/advisories/GHSA-xh43-g2fq-wjrj (x_refsource_CONFIRM)
https://github.com/angular/angular-cli/issues/32501 (x_refsource_MISC)
https://github.com/angular/angular-cli/pull/32521 (x_refsource_MISC)
https://github.com/angular/angular-cli/commit/877f017ace4b83277d773aa37f5813e5e9faec7e (x_refsource_MISC)