CVE-2026-22610: XSS Vulnerability in Angular Template Compiler via Unsanitized SVG Script Attributes
A cross-site scripting vulnerability in Angular's Template Compiler allows attackers to inject and execute malicious scripts through SVG elements. Applications running Angular 18.x and earlier have no upstream patch available. NES for Angular delivers a remediated package for all affected EOL versions.
What Is CVE-2026-22610?
CVE-2026-22610 is a cross-site scripting (XSS) vulnerability in Angular's Template Compiler. Angular's internal sanitization schema fails to recognize the href and xlink:href attributes on SVG <script> elements as Resource URL contexts. Because those attributes are not classified correctly, Angular does not apply its URL sanitization logic to them, and malicious script sources pass through unblocked.
The result: an attacker who can influence template content or input values mapped to these attributes can inject and execute arbitrary JavaScript in the browser context of any user who renders the affected view.
CVSS 3.1 Score: 6.1 Medium (NVD) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 4.0 Score: 8.5 High (GitHub Advisory, CNA: GitHub) CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
The NVD and advisory scores differ because CVSS 4.0 accounts for the confidentiality and integrity impact under authenticated conditions. For applications that render user-controlled SVG content, the 4.0 score more accurately reflects real-world risk exposure.
Verify current scoring at NVD.
Why This Matters
XSS vulnerabilities in frontend frameworks are high-value targets. The Angular Template Compiler is a central component: it runs at build time and shapes the sanitization behavior of every rendered view. A gap in its sanitization schema is not isolated to one feature or one route. Any component that processes SVG content with dynamic href or xlink:href attributes on script elements is potentially exposed.
For teams managing enterprise Angular applications, the practical consequences include:
Scanner flags and blocked pipelines. Snyk, Tenable, Twistlock, and OWASP Dependency Check will surface this CVE against affected Angular versions. CI/CD pipelines that enforce a zero-unresolved-critical policy will block on this. If your pipeline blocks before a deployment window, the business impact is immediate.
Compliance exposure. SOC 2 Type II, PCI DSS, and ISO 27001 all require timely remediation of known vulnerabilities in third-party components. An unpatched CVE in an actively deployed Angular version is a finding. For teams operating under strict AppSec SLAs (30 days for Critical, 90 for High), the 4.0 severity rating of 8.5 puts this squarely in the urgent tier.
Client contract risk. B2B SaaS companies that ship Angular-based products to enterprise customers are frequently subject to their customers' security reviews. A known, unpatched vulnerability in the frontend framework can threaten contract renewals.
Please see our previous writeup on CVE-2026-2610 for more.
Which Angular versions are affected by CVE-2026-22610?
CVE-2026-22610 affects all Angular versions prior to the patched releases. The table below separates OSS patch availability from NES coverage:
Angular follows a predictable support lifecycle: each major version receives six months of active support followed by eighteen months of LTS, for a total of twenty-four months. Angular 18 reached end of life in November 2025. The upstream project's last published Angular 18 release was 18.2.14 in September 2025. No patch for CVE-2026-22610 exists in that branch, and none will be issued.
Angular 17 and all earlier versions reached end of life before November 2025. These versions are not receiving security patches from the upstream project for any vulnerability, including CVE-2026-22610.
If your application runs Angular 18 or earlier, the upstream Angular project offers no remediation path for this vulnerability.
Why This Is Hard to Fix
The standard guidance is to upgrade to a patched release. For teams on Angular 19, 20, or 21, that is a straightforward version bump. For teams on Angular 18 or earlier, it is not.
Angular major version upgrades are not incremental. Each major release introduces breaking changes, removes deprecated APIs, and in some cases requires changes to template syntax, dependency injection patterns, component lifecycle behavior, or the build toolchain. Moving from Angular 17 to Angular 19 crosses two major versions. Moving from Angular 15 to Angular 19 crosses four. The Angular team provides migration guides, but they require engineering time, regression testing, and in complex applications, significant refactoring.
For organizations running multiple Angular applications, or applications built by teams who have since been reorganized or reduced, the migration effort is magnified. Lean teams maintaining stable legacy applications often cannot absorb a multi-sprint migration sprint without deferring feature work or accepting delivery risk. Large enterprises with dozens of Angular applications face a portfolio-level prioritization problem.
This is the situation many Angular 18 deployments are in today. Angular 18 is barely six months past its end of life. The deprecation was known, the migration planning was in progress, and then a CVE arrived before the migration was complete.
Technical Breakdown
Angular's sanitization system classifies DOM attributes into security contexts: HTML, Style, URL, and Resource URL. Resource URL contexts, used for attributes that load external scripts or resources, apply the strictest sanitization, blocking untrusted values unless explicitly bypassed.
The vulnerability in CVE-2026-22610 is a classification gap. Angular's internal sanitization schema did not include href and xlink:href attributes on SVG <script> elements in the Resource URL context list. The Angular Template Compiler therefore did not apply Resource URL sanitization to values bound to those attributes.
An attacker who can inject a value into a template binding on one of those attributes can supply an arbitrary script URL. When the browser renders the SVG element, it loads and executes the script. No special privileges are required to craft the payload and the only requirement is reaching a template that renders the unsanitized binding.
The fix, available in Angular 19.2.18, 20.3.16, and 21.0.7, adds href and xlink:href on SVG <script> elements to the Resource URL security context, aligning them with the same sanitization enforcement applied to other resource-loading attributes.
The HeroDevs Solution
HeroDevs Never-Ending Support (NES) for Angular resolves CVE-2026-22610 for Angular versions 4 through 18, the full range of EOL Angular releases that have no upstream patch available.
NES for Angular is a drop-in replacement. It replaces your existing Angular packages with patched equivalents via a single package registry token swap. No code changes are required. The patched packages are backward compatible with your existing application code, templates, and build configuration. Implementation takes minutes, not sprints.
NES delivers the CVE-2026-22610 remediation and continues to deliver security patches for every subsequent CVE disclosed against your Angular version, for as long as you need the runway. Your team gets the fix without stopping feature work, without a migration sprint, and without accepting unpatched vulnerabilities in production.
NES for Angular also satisfies the scanner and compliance workflow. HeroDevs is a CVE Numbering Authority (CNA). Patched NES packages are recognized by Snyk, Tenable, and other vulnerability scanners, so the CVE-2026-22610 flag resolves in your dashboard and clears in your CI/CD pipeline. For SOC 2, PCI DSS, and ISO 27001 audits, HeroDevs provides letters of attestation that confirm the vulnerability has been addressed.
How to Fix It
If You Are on Angular 19, 20, or 21
Upgrade to the patched release for your branch:
- Angular 21.x: upgrade to 21.0.7 or 21.1.0+
- Angular 20.x: upgrade to 20.3.16 or later
- Angular 19.x: upgrade to 19.2.18 or later
These are standard version bumps available through npm or the more commonly used ng update workflow. No commercial agreement is required.
If You Are on Angular 18 or Earlier
No upstream patch exists. Your options are:
Option 1: Migrate to a supported Angular version. This resolves the vulnerability and eliminates EOL risk across the board, but it requires engineering time proportional to the version gap and your application's complexity. For teams with a migration already in progress, accelerating that work may be appropriate. For teams starting from scratch, the timeline is typically measured in months, not weeks.
Option 2: Use NES for Angular. NES delivers a remediated package for your current EOL Angular version as a drop-in replacement, with no migration required. You get the fix for CVE-2026-22610 today, while your migration continues on a timeline that works for your team and your business.
What should I do next about CVE-2026-22610?
If your application runs Angular 19, 20, or 21, upgrade to the patched version now.
If your application runs Angular 18 or earlier, every day this CVE sits unpatched is a day on your scanner dashboard, in your compliance review, and on your customer's security questionnaire. HeroDevs NES for Angular closes that gap immediately. Learn how to protect your EOL Angular application without migrating, or talk to the HeroDevs team to get a remediated package on your version today.
FAQ
Which Angular versions are affected by CVE-2026-22610?
CVE-2026-22610 affects every Angular version prior to the patched releases (19.2.18, 20.3.16, and 21.0.7). This includes all currently supported branches (Angular 19, 20, and 21) before their patched minor versions, and every end-of-life Angular version from 4 through 18, none of which will receive an upstream patch.
Is Angular 18 still supported?
No. Angular 18 reached end of life in November 2025 and no longer receives security patches from the upstream Angular project. The final upstream release on the Angular 18 branch was 18.2.14, published in September 2025, which does not include the fix for CVE-2026-22610. Teams running Angular 18 in production must either migrate to a supported version or use a commercial support provider such as HeroDevs NES to receive remediated packages.
Does CVE-2026-22610 affect older Angular versions like 4, 8, or 14?
Yes. CVE-2026-22610 affects every Angular major version from 4 through 18, all of which are end of life and will not receive an upstream patch. HeroDevs NES for Angular covers the full range of EOL Angular releases (v4 through v18) with backward-compatible patched packages that drop in without code changes.
Is there an upstream Angular patch for CVE-2026-22610 on EOL versions?
No. The Angular project does not issue security patches for end-of-life versions, and no upstream patch exists or will be released for Angular 18 or earlier. The only remediation paths for EOL Angular versions are migration to a supported branch or commercial support such as HeroDevs NES.
Additional references:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22610
- GitHub Advisory: https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
- HeroDevs Vulnerability Directory: https://www.herodevs.com/vulnerability-directory/cve-2026-22610
.png)
.png)