Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular’s template preprocessing and runtime sanitizers do not fully recognize elements and attributes within custom namespaces such as SVG or MathML. Namespaced script tags like <svg:script> or attributes prefixed with a namespace can slip past Angular’s filter and be compiled into the DOM, allowing malicious code to be injected. This flaw is a form of input validation bypass that permits an attacker to inject executable code that runs in the client's browser, violating confidentiality and integrity of client data. The vulnerability is categorized as CWE‑79.

Affected Systems

The issue exists in Angular packages @angular/compiler and @angular/core released before 22.0.0‑rc.2, 21.2.15, 20.3.22 and 19.2.22. Upgrading to releases 22.0.0‑rc.2 or later, 21.2.15 or later, 20.3.22 or later, or 19.2.22 or later eliminates the vulnerability.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation. However, based on the description, the likely attack vector is via any user‑controlled input rendered as an Angular template. An attacker who can supply or manipulate such input can execute arbitrary JavaScript in the victim’s browser. While no known exploitation campaigns are documented, the potential impact justifies prompt remediation.

Generated by OpenCVE AI on June 22, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to a fixed release: 22.0.0‑rc.2 or later, 21.2.15 or later, 20.3.22 or later, or 19.2.22 or later.
  • Configure templates to reject or encode any user‑supplied namespaced elements or attributes; disable or whitelist custom namespaces.
  • Implement a Content Security Policy that blocks inline scripts and eval calls to limit damage if XSS occurs.

Generated by OpenCVE AI on June 22, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f3m7-gqxr-g87x Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22, an issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., <svg:script> or <:svg:script>) were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22 and 19.2.22.
Title Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:11:48.347Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50557

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')