CVE-2026-22610 Exposes the Myth of 'Quiet' Framework Security in Angular

Over the past few weeks, a familiar pattern has been repeating itself across the JavaScript ecosystem. Frameworks with long, quiet security histories are suddenly producing serious vulnerabilities once real scrutiny is applied. Angular. React. Next.js. Each case challenges the comforting assumption that maturity and silence equate to safety.

When I previously wrote that a quiet CVE history is not a security guarantee, this is exactly what I meant.

Because there is now another Angular vulnerability, CVE-2026-22610, and it exists for one very clear reason. Someone went looking.

That someone was HeroDevs.

HeroDevs is often described through the lens of extended support, but that framing understates what actually happens here. HeroDevs is a software security company. The work we do goes far beyond maintaining old versions or reacting to upstream disclosures. It involves active security research, adversarial analysis, and intentional examination of code paths that most organizations no longer have the time, incentives, or expertise to explore.

CVE-2026-22610 was uncovered during that work.

The vulnerability lives deep inside Angular’s template compiler, in how the framework classifies and sanitizes SVG <script> attributes. Under specific conditions, Angular failed to recognize href and xlink:href as sensitive resource URLs, allowing attacker controlled input to bypass sanitization and execute arbitrary JavaScript in a victim’s browser. This is not a superficial bug. It exists at the intersection of compiler behavior, security contexts, and SVG semantics. These are precisely the kinds of assumptions that can remain unchallenged for years.

And they often do.

Not because frameworks are poorly built, but because security attention is finite. When upstream support moves on, so does most security research. What remains is a growing body of code that still runs critical systems but is no longer being actively questioned.

When that questioning resumes, discoveries follow.

With the disclosure of CVE-2026-22610, Angular now has four recent high severity vulnerabilities affecting sanitization, cross site request protections, and server side rendering behavior. Together, they impact nearly every major Angular version still deployed in production, including versions that are already end of life and will never receive upstream patches.

This is not unique to Angular.

As HeroDevs has applied the same level of scrutiny across other widely used frameworks and libraries, we have seen the same pattern repeat. Quiet histories give way to meaningful findings once someone takes the time to look closely. In recent work, HeroDevs has identified and responsibly disclosed vulnerabilities affecting AJS, Vuetify, Vue, Elliptic, and additional ecosystems beyond the frontend frameworks most people associate with CVEs.

Different projects. Different maintainers. Same outcome.

Modern software frameworks are no longer small abstractions. They are compilers, runtimes, security layers, transport mechanisms, and build systems combined into highly configurable platforms. The complexity alone guarantees that subtle edge cases will exist. The only question is whether anyone is still examining them.

That question matters most for enterprises running older versions. Once a framework reaches end of life, it effectively exits the mainstream security conversation. It stops receiving audits, threat modeling, and sustained research attention. The code does not become safer over time. It simply becomes quieter.

That silence is where long term risk accumulates.

HeroDevs exists to counteract that silence. Never Ending Support is not just about keeping legacy applications running. It is about continuing security work after official support ends. It is about discovering vulnerabilities that would otherwise remain hidden, fixing them responsibly, and backporting those fixes into versions that organizations still rely on every day.

CVE-2026-22610 was not inevitable. It was found because someone was still looking.

And recent events across multiple frameworks have made one thing clear. Security does not come from age, popularity, or a lack of headlines. It comes from sustained scrutiny.

In an ecosystem where attention moves quickly and software lives for decades, that scrutiny cannot be optional. It has to be deliberate, continuous, and unapologetically thorough.

‍