A critical Cross-Site Scripting (XSS) vulnerability has been discovered in Angular’s Template Compiler, affecting multiple versions of both @angular/compiler and @angular/core packages.
Tracked as CVE-2026-22610, this vulnerability allows attackers to bypass Angular’s built-in security protections and execute arbitrary JavaScript code within victim browsers.
The Vulnerability
The flaw exists in Angular’s internal sanitization schema, which fails to properly recognize the href and xlink:href attributes of SVG <script> elements as resource URLs requiring strict validation.
This oversight enables attackers to inject malicious payloads via template bindings, thereby executing unauthorized code in users’ sessions.
FieldDetailsCVE IDCVE-2026-22610Vulnerability TypeCross-Site Scripting (XSS)CWECWE-79: Improper Neutralization of Input During Web Page GenerationCVSS v4 Score7.6 (High)CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
When developers use Angular’s property binding syntax (such as [attr.href]=”userInput”), the compiler treats these SVG script attributes as standard strings rather than dangerous resource links.
This misclassification allows malicious data, including data: text/javascript URIs or links to external malicious scripts, to bypass security checks. Successful exploitation of this vulnerability can lead to severe consequences.
Attackers may steal session cookies, localStorage data, or authentication tokens to hijack user accounts.
They could also exfiltrate sensitive information displayed within applications or perform unauthorized actions on behalf of authenticated users.
The vulnerability carries a CVSS v4 base score of 7.6 (High severity). It requires low attack complexity and relatively low privilege levels to exploit.
Affected Versions and Fixed Versions
Angular PackageAffected VersionsFixed / Safe Versions@angular/compiler, @angular/core≥ 21.1.0-next.0 and < 21.1.0-rc.021.1.0-rc.0 or later@angular/compiler, @angular/core≥ 21.0.0-next.0 and < 21.0.721.0.7 or later@angular/compiler, @angular/core≥ 20.0.0-next.0 and < 20.3.1620.3.16 or later@angular/compiler, @angular/core≥ 19.0.0-next.0 and < 19.2.1819.2.18 or later@angular/compiler, @angular/core≤ 18.2.14No patch available — upgrade required
Exploitation requires specific conditions: the target application must use SVG <script> elements in templates with dynamic property or attribute bindings for href or xlink:href attributes, and the bound data must originate from untrusted sources.
According to GitHub advisory, developers should immediately update Angular to patched versions.
Until patches are applied, avoid using dynamic bindings with SVG script elements and implement strict server-side input validation for any dynamic URL values before they reach templates.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New Angular Vulnerability Enables an Attacker to Execute Malicious Payload appeared first on Cyber Security News.
