Vulnerability Directory | CVE-2026-22610 | Angular

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Cross-Site Scripting (XSS) vulnerability (CVE-2026-22610) has been identified in Angular's Template Compiler, which allows attackers to bypass sanitization of SVG script sources and can lead to arbitrary JavaScript execution within the context of the victim's browser session.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

This issue affects multiple versions of Angular.

‍

Details

Module Info

Product: Angular
Affected packages: @angular/compiler, @angular/core
Affected versions:
- <=18.2.14
- >=19.0.0-next.0 <19.2.18
- >=20.0.0-next.0 <20.3.16
- >=21.0.0-next.0 <21.0.7
- >=21.1.0-next.0 <21.1.0-rc.0
GitHub repository: https://github.com/angular/angular
Published packages:
- https://www.npmjs.com/package/@angular/compiler
- https://www.npmjs.com/package/@angular/core
Package manager: npm
Fixed in:
- OSS Angular v19.2.18, v20.3.16, v21.0.7 and v21.1.0-rc.0
- Angular NES v17.3.18 and v18.2.18

‍

Vulnerability Info

This High-severity vulnerability is found in the @angular/compiler and @angular/core packages in multiple published versions of Angular.

Normally, Angular's internal sanitization schema recognizes the source attributes of <script> elements as a special security context that requires more strict validation than regular URLs. This is necessary, because the URLs used for scripts can essentially control what JavaScript code is executed in the context of a user's browser session.

However, because SVG <script> elements use different attributes than the more common HTML <script> elements, Angular failed to classify the appropriate attributes of SVG <script> elements, href and xlink:href, as a Resource URL context. This allows attackers to bypass Angular's built-in security protections. When a template binding is used to assign user-controlled data to these attributes–for example, <svg><script [attr.href]="unsanitizedUrl"><script></svg>–the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URL or a link to an external malicious script.

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

Session hijacking: Stealing session cookies, localStorage data, or authentication tokens.
Data exfiltration: Accessing and transmitting sensitive information displayed within the application.
Unauthorized actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

‍

Steps To Reproduce

Create a minimal Angular application using a vulnerable version.
In the main component’s @Component decorator, update the template value with the following:

@Component({
  //...
  template: `
    <svg>
      <script [attr.href]="'data:text/javascript,console.log(\\'HAX\\')'"></script>
    </svg>
  `,
}

Run the application and observe that the "malicious" code was run, printing "HAX" in the browser Console.
Similarly, you can use a binding to a component property and/or bind to the xlink:href attribute:

@Component({
  //...
  template: `
    <svg>
      <script [attr.xlink:href]="unsanitizedUrl"></script>
    </svg>
  `,
}
class App {
  unsanitizedUrl = 'data:text/javascript,console.log(\'MORE HAX\')';
}

Again, run the application and observe the message "MORE HAX" being printed in the browser Console, indicating that the "malicious" code was executed.
Note that the URL value is hard-coded in these examples for simplicity, but in a real-world scenario the values would be derived from an untrusted source, such as URL parameters, user-submitted database entries, or unsanitized API responses.

‍