CVE-2026-27738 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
An Open Redirect vulnerability exists in the internal URL processing logic in Angular SSR. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash.
When an Angular SSR application is deployed behind a proxy that passes the X-Forwarded-Prefix header, an attacker can provide a value starting with three slashes (e.g., ///evil.com).
redirectTo or i18n locale switch).///evil.com as the prefix.//evil.com.Location header.// as a protocol-relative URL, redirecting the user from https://your-app.com to https://evil.com.This vulnerability allows attackers to conduct large-scale phishing and SEO hijacking:
X-Forwarded-Prefix header to the SSR process without sanitization.X-Forwarded-Prefix header.Until the patch is applied, developers should sanitize the header in their before the Angular engine processes the request:
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
X-Forwarded-Prefixserver.tsapp.use((req, res, next) => {
const prefix = req.headers['x-forwarded-prefix']?.trim();
if (prefix) {
// Sanitize by removing all leading slashes
req.headers['x-forwarded-prefix'] = prefix.replace(/^[/\\]+/, '/');
}
next();
});