Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular’s @angular/core implementation contains a flaw in the dynamic component creation API that allows an attacker to mount a component directly onto a <script> or a namespaced script tag such as <svg:script>. The createComponent function accepts a selector string that can be supplied by an attacker; by providing a selector of "script" the framework renders that element and executes its contents. This enables the execution of arbitrary JavaScript in the context of the user’s browser, leading to classic client‑side XSS. The primary consequence is that an attacker who can influence the host element or selector parameter used in a createComponent call can embed malicious scripts into a page. This can result in theft of session cookies, defacement of the application, or credential phishing, all of which occur silently without requiring any privileges on the attacker’s side. The CVSS score of 5.3 places the vulnerability in the moderate severity range, while an EPSS score of less than 1 % indicates a very low likelihood of exploitation to date. It is not listed in CISA’s KEV catalog, but the attack surface remains real for Angular applications that expose dynamic component creation to untrusted input. The weakness is reflected by CWE‑79 (Cross‑Site Scripting) and CWE‑791 (Index Of Returned Pointer Not Checked).

Affected Systems

Angular framework (full), including the @angular/core package. Versions prior to 22.0.0‑rc.2, 21.2.15, 20.3.22, and 19.2.23 are vulnerable. Upgrading to any subsequent release that incorporates the fix resolves the issue.

Risk and Exploitability

This flaw is exploitable without additional privileges. An attacker who can supply the selector or host element to createComponent—common in applications that pass user input to component creation—can inject a <script> tag that runs untrusted code. The moderate CVSS score indicates significant impact if executed, and while exploitation probability is currently very low (EPSS < 1 %), the ease of attack in suitable environments mandates timely patching. The vulnerability is not yet in the KEV catalog, but monitoring for potential exploit activity is advisable.

Generated by OpenCVE AI on July 12, 2026 at 11:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @angular/core package to any release that includes the 22.0.0‑rc.2, 21.2.15, 20.3.22, or 19.2.23 fixes or newer.
  • Validate any selector or host element passed to createComponent; reject values that target <script> or namespaced script tags and avoid using user‑controlled input for that call.
  • Apply a strict Content Security Policy that blocks inline script execution to mitigate any residual XSS risk.

Generated by OpenCVE AI on July 12, 2026 at 11:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-692r-grfm-v8x7 @angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
History

Thu, 09 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-791
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

threat_severity

Moderate


Mon, 22 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Title Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:59:33.229Z

Reserved: 2026-06-08T14:00:43.571Z

Link: CVE-2026-52725

cve-icon Vulnrichment

Updated: 2026-06-22T15:59:26.819Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:18:43Z

Links: CVE-2026-52725 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T11:15:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-791

    Incomplete Filtering of Special Elements