PT-2026-2230 · Google · Angular
Gkalpak
+1
·
Published
2026-01-09
·
Updated
2026-02-17
·
CVE-2026-22610
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Angular versions prior to 19.2.18
Angular versions prior to 20.3.16
Angular versions prior to 21.0.7
Angular version 21.1.0-rc.0
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. A cross-site scripting (XSS) issue exists in the Angular Template Compiler due to a failure in Angular’s internal sanitization schema to recognize the
href and xlink:href attributes of SVG <script> elements as a Resource URL context. This could potentially lead to arbitrary code execution.Recommendations
Update to Angular version 19.2.18 or later.
Update to Angular version 20.3.16 or later.
Update to Angular version 21.0.7 or later.
Update to Angular version 21.1.0-rc.0 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Angular