CVE-2026-46417

Name: CVE-2026-46417 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-46417

HIGH

CVSS v4.0: 8.8 · EPSS: 0.0031 (22.8 percentile)

NetworkNo privilegesNo user interactionSSRFVendor advisory ref

Source data as of: 2026-06-24 05:00:54 UTC

At a glance

Severity: HIGH
CVSS: 8.8 v4.0 · NVD
EPSS: 0.0031 (22.8 percentile) · FIRST.org
CISA KEV: No
Type: SSRF · NVD CWE
Attack conditions (CVSS vector): NetworkNo privilegesNo user interaction · Source: NVD Vector
Published: 2026-06-22 · Modified: 2026-06-23
References: Jump to references (2)

CVSS / EPSS / KEV

CVSS v4.0 8.8 / 10 HIGH Source: NVD

EPSS 0.0031 22.8 percentile Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22, a Server-Side Request Forgery (SSRF) vulnerability exists in @angular/platform-server. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points. When an absolute-form URL (e.g., http://evil.com) is passed to the rendering engine, the internal ServerPlatformLocation can be manipulated into adopting the attacker-controlled domain as the "current" hostname. Consequently, any relative HttpClient requests or PlatformLocation.hostname references are redirected to the attacker controlled server, potentially exposing internal APIs or metadata services. This vulnerability is fixed in 22.0.0-next.12, 21.2.13, 20.3.21, and 19.2.22.

Record details

CVE ID: CVE-2026-46417
CVSS (v4.0): 8.8 (HIGH)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.0031 (22.8 percentile) — 2026-06-24
CISA KEV: No
Weakness (CWE): CWE-918
Affected configurations (CPE): 0
Published: 2026-06-22
Modified: 2026-06-23
Status: Undergoing Analysis

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

Reference https://github.com/angular/angular/pull/68570
Vendor advisory https://github.com/angular/angular/security/advisories/GHSA-rfh7-fxqc-q52v

← Back to all records

CVE-2026-46417

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same weakness type (CWE)

Published the same year