New Angular Vulnerability Allows Malicious Code Execution
A critical Cross-Site Scripting (XSS) vulnerability has been identified within Angular’s Template Compiler. This flaw affects multiple versions of both the @angular/compiler and @angular/core...
A critical Cross-Site Scripting (XSS) vulnerability has been identified within Angular’s Template Compiler. This flaw affects multiple versions of both the @angular/compiler and @angular/core packages.
Tracked as CVE-2026-22610, this vulnerability allows attackers to bypass Angular’s built-in security protections and execute arbitrary JavaScript code within victim browsers.
The Vulnerability
The flaw exists in Angular’s internal sanitization schema, which fails to properly recognize the href and xlink:href attributes of SVG <script> elements as resource URLs requiring strict validation.
This oversight enables attackers to inject malicious payloads via template bindings, thereby executing unauthorized code in users’ sessions.
| Field | Details |
|---|---|
| CVE ID | CVE-2026-22610 |
| Vulnerability Type | Cross-Site Scripting (XSS) |
| CWE | CWE-79: Improper Neutralization of Input During Web Page Generation |
| CVSS v4 Score | 7.6 (High) |
| CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
When developers use Angular’s property binding syntax (such as [attr.href]=”userInput”), the compiler treats these SVG script attributes as standard strings rather than dangerous resource links.
This misclassification allows malicious data, including data: text/javascript URIs or links to external malicious scripts, to bypass security checks. Successful exploitation of this vulnerability can lead to severe consequences.
Attackers may steal session cookies, localStorage data, or authentication tokens to hijack user accounts.
They could also exfiltrate sensitive information displayed within applications or perform unauthorized actions on behalf of authenticated users.
The vulnerability carries a CVSS v4 base score of 7.6 (High severity). It requires low attack complexity and relatively low privilege levels to exploit.
Affected Versions and Fixed Versions
| Angular Package | Affected Versions | Fixed / Safe Versions |
|---|---|---|
| @angular/compiler, @angular/core | ≥ 21.1.0-next.0 and < 21.1.0-rc.0 | 21.1.0-rc.0 or later |
| @angular/compiler, @angular/core | ≥ 21.0.0-next.0 and < 21.0.7 | 21.0.7 or later |
| @angular/compiler, @angular/core | ≥ 20.0.0-next.0 and < 20.3.16 | 20.3.16 or later |
| @angular/compiler, @angular/core | ≥ 19.0.0-next.0 and < 19.2.18 | 19.2.18 or later |
| @angular/compiler, @angular/core | ≤ 18.2.14 | No patch available — upgrade required |
Exploitation requires specific conditions: the target application must use SVG <script> elements in templates with dynamic property or attribute bindings for href or xlink:href attributes, and the bound data must originate from untrusted sources.
According to GitHub advisory, developers should immediately update Angular to patched versions.
Until patches are applied, avoid using dynamic bindings with SVG script elements and implement strict server-side input validation for any dynamic URL values before they reach templates.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.