CVE-2026-44437— Angular SSR: Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 4
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| angular | angular-cli | >= 22.0.0-next.0, < 22.0.0-next.7 | affected |
>= 21.0.0-next.0, < 21.2.9 | affected | ||
>= 20.0.0-next.0, < 20.3.25 | affected | ||
>= 19.0.0-next.0, < 19.2.25 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44437
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Angular SSR: Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (%2e%2e). This allows an attacker to bypass security filters by injecting encoded path traversal sequences that are later decoded and utilized by the application logic. When an Angular SSR application is configured to trust proxy headers and is deployed behind a proxy that forwards the X-Forwarded-Prefix header without prior sanitization, an attacker can provide a payload such as /%2e%2e/evil. This vulnerability is fixed in19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Angular 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Angular是Angular开源的一个开发平台。用于使用 Typescript / JavaScript 和其他语言构建移动和桌面 Web 应用程序。 Angular SSR 19.0.0-next.0至19.2.25之前版本、20.3.25之前版本、21.2.9之前版本和22.0.0-next.7之前版本存在路径遍历漏洞,该漏洞源于X-Forwarded-Prefix标头处理逻辑中内部验证机制未能正确处理URL编码字符,可能导致攻击者绕过安全过滤器注入编码路径遍历序列。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| angular | angular-cli | >= 22.0.0-next.0, < 22.0.0-next.7 | - |
II. Public POCs for CVE-2026-44437
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44437
请登录查看更多情报信息。
- https://github.com/angular/angular-cli/pull/33031x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-44437
IV. Related Vulnerabilities
Same product: angular-cli
Same vendor: angular
- CVE-2026-41423
Angular: SSRF via protocol-relative and backslash URLs in An - CVE-2026-33397
Angular SSR Vulnerable to Protocol-Relative URL Injection vi - CVE-2026-27970
Angular i18n vulnerable to Cross-Site Scripting (XSS) - CVE-2026-27739
Angular SSR is vulnerable to SSRF and Header Injection via r - CVE-2026-27738
Angular SSR has an Open Redirect via X-Forwarded-Prefix
Same weakness: CWE-22
- CVE-2026-8757
adenhq hive Delete Request routes_sessions.py _read_events_t - CVE-2026-8756
fishaudio Bert-VITS2 Gradio webui_preprocess.py generate_con - CVE-2026-8755
fishaudio Bert-VITS2 Model hiyoriUI.py _get_all_models path - CVE-2026-8754
AstrBotDevs AstrBot File Upload chat.py post_file path trave - CVE-2018-25325
Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion
V. Comments for CVE-2026-44437
No comments yet