CVE-2026-52725

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Cross-Site Scripting (XSS) vulnerability (CVE-2026-52725) has been identified in Angular's Core, which allows attackers to mount a dynamic component onto a script element and can lead to arbitrary JavaScript execution within the context of the victim's browser session.

Per OWASP, this vulnerability falls under Stored Cross-Site Scripting. Stored XSS occurs when an application stores untrusted input and later renders it without proper neutralization. In this case, the injected payload may execute when a user interacts with the affected element or automatically when an animation is triggered.

This issue affects multiple versions of Angular.

‍

Details

Module Info

• Product: Angular
• Affected packages: @angular/core
• Affected versions:
  • <=18.2.14
  • >=19.0.0-next.0 <19.2.23
  • >=20.0.0-next.0 <20.3.22
  • >=21.0.0-next.0 <21.2.15
  • >=22.0.0-next.0 <22.0.0-rc.2
• GitHub repository: https://github.com/angular/angular
• Published packages: https://www.npmjs.com/package/@angular/core
• Package manager: npm
• Fixed in:
  • OSS Angular v19.2.23, v20.3.22, v21.2.15 and v22.0.0-rc.2

Vulnerability Info

This Medium-severity vulnerability is found in the @angular/core package in multiple published versions of Angular.

Angular's dynamic component instantiation API, createComponent, does not reject mounting a component directly onto a <script> element or a namespaced script element such as svg:script. Because the host element is not validated against script-executing tags, a custom component can be initialized on a tag that executes scripts.

An attacker who can control the host element or selector parameter passed to createComponent can therefore mount an Angular component directly onto a script tag, leading to the execution of untrusted code. The result is client-side XSS in the browser of the affected user.

This vulnerability affects any Angular application that registers dynamic components based on user-supplied parameters such as selectors or host elements. Successful exploitation results in arbitrary JavaScript execution within the victim's browser session, which can lead to:

• Session hijacking: Stealing session cookies, localStorage data, or authentication tokens.
• Sensitive data exposure: Reading sensitive information displayed within or accessible to the application, such as personal data shown on the page.
• Unauthorized actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

‍

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

• Migrate affected applications to a patched version of Angular.
• Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍

Credits

• SkyZeroZx (finder)