PT-2025-48578 · Google · Angular
Published
2025-12-01
·
Updated
2026-02-20
·
CVE-2025-66412
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Angular versions prior to 21.0.2
Angular versions prior to 20.3.15
Angular versions prior to 19.2.17
Description
A Stored Cross-Site Scripting (XSS) issue exists in the Angular Template Compiler due to an incomplete internal security schema. This allows attackers to bypass Angular’s built-in security sanitization by injecting malicious scripts through URL-holding attributes that are not classified as requiring strict URL security. These attributes can contain javascript: URLs.
Recommendations
Update to Angular version 21.0.2 or later.
Update to Angular version 20.3.15 or later.
Update to Angular version 19.2.17 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Angular