Description
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.
Published: 2026-05-11
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular Expressions is a standalone module for the Angular.JS web framework. Prior to version 1.5.2 an attacker can craft a malicious expression that uses filters to escape the sandbox and execute arbitrary code on the system. The flaw provides Remote Code Execution capabilities, classified as CWE‑95 input validation failure.

Affected Systems

The vulnerability affects the Angular Expressions package from peerigon. Versions prior to 1.5.2 are impacted; the fix is released in version 1.5.2.

Risk and Exploitability

The Common Vulnerability Scoring System assigns the issue a high severity of 9.3, indicating a severe impact if exploited. EPSS data is not available, and the flaw is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be remote; an attacker must be able to supply a crafted expression to a vulnerable application that evaluates Angular Expressions, which typically occurs through user input on a web interface.

Generated by OpenCVE AI on May 11, 2026 at 17:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Angular Expressions package to version 1.5.2 or later.
  • If an immediate update is not possible, disable or remove the use of filters in Angular Expressions to prevent sandbox escapes.
  • Audit application code to ensure no user-supplied expressions are evaluated; enforce strict input validation or encoding.
  • Monitor application logs for attempts to inject malicious expressions and apply additional access controls as needed.

Generated by OpenCVE AI on May 11, 2026 at 17:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pw8r-6689-xvf4 Angular Expressions - Remote Code Execution using filters
History

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Peerigon
Peerigon angular-expressions
Vendors & Products Peerigon
Peerigon angular-expressions
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.
Title Angular Expressions - Remote Code Execution using filters
Weaknesses CWE-95
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Peerigon Angular-expressions
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T16:22:58.556Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44643

cve-icon Vulnrichment

Updated: 2026-05-11T16:22:53.227Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T16:17:36.143

Modified: 2026-05-12T15:09:58.693

Link: CVE-2026-44643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:40Z

Weaknesses