Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Published: 2026-01-10
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

Angular’s Template Compiler misclassifies the href and xlink:href attributes of SVG <script> elements as unrestricted URLs. As a result, a malicious SVG file can embed arbitrary script code that will execute within the context of the page rendered by Angular. This flaw constitutes a classic script‑execution vulnerability, reflected by its assignment to CWE‑79.

Affected Systems

The vulnerability affects Angular versions earlier than 19.2.18, 20.3.16, 21.0.7, and 21.1.0‑rc.0. Applications built with any of those releases are at risk until the framework is updated to a patched version. The issue is independent of the underlying Node.js version, as the associated CPE strings show Angular as the primary component.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, while the EPSS score of less than 1 % suggests a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitability requires an attacker to supply a malicious SVG file that Angular renders; based on the description, it is inferred that the attacker would need to deliver such SVG content, typically through user‑supplied input or injection into a page that the application renders.

Generated by OpenCVE AI on April 18, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to version 19.2.18, 20.3.16, 21.0.7, 21.1.0‑rc.0, or any newer release that includes the template‑compiler fix.
  • If an immediate upgrade is not possible, inspect application code for SVG <script> tags, and remove or encode href and xlink:href attributes before rendering, or apply Angular’s DomSanitizer utilities to sanitize the content.
  • Deploy a strict Content Security Policy that blocks inline scripts and restricts script sources to trusted origins, adding an extra layer of protection while the underlying framework is updated.

Generated by OpenCVE AI on April 18, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jrmj-c5cx-3cw6 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes
History

Mon, 23 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.1.0:next0:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.1.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.1.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.1.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:angular:angular:21.1.0:next4:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Sat, 10 Jan 2026 03:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Title Angular has XSS Vulnerability via Unsanitized SVG Script Attributes
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Angular Angular
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:50.480Z

Reserved: 2026-01-07T21:50:39.534Z

Link: CVE-2026-22610

cve-icon Vulnrichment

Updated: 2026-01-12T17:29:57.792Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T04:16:01.517

Modified: 2026-02-23T18:23:55.623

Link: CVE-2026-22610

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T03:35:40Z

Links: CVE-2026-22610 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses