CVE-2026-54265

Cross-Site Scripting
Affects
Angular
in
Angular
No items found.
Versions
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A Cross-Site Scripting (XSS) vulnerability (CVE-2026-54265) has been identified in the @angular/compiler package that allows bypassing DOM property sanitization through the use of two-way property bindings.

Per OWASP, this vulnerability falls under Stored Cross-Site Scripting. Stored XSS occurs when an application stores untrusted input and later renders it without proper neutralization. In this case, the injected payload may execute when a user interacts with the affected element or automatically when an animation is triggered.

This issue affects multiple versions of Angular.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the @angular/compiler package in multiple published versions of Angular.

When a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.

This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).

Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.

Mitigation

Angular versions prior to 19 were already End-of-Life when this CVE was published and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

  • Migrate affected applications to a patched version of Angular.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-54265
PROJECT Affected
Angular
Versions Affected
>= 22.0.0-next.0 < 22.0.1 >= 21.0.0-next.0 < 21.2.17 >= 20.0.0-next.0 < 20.3.25 <= 19.2.25
NES Versions Affected
Published date
July 8, 2026
≈ Fix date
June 9, 2026
Category
Cross-Site Scripting
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Angular
Rss feed icon
Subscribe via RSS
or

By submitting the form I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.