Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Published: 2026-06-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Angular’s compiler incorrectly handled two‑way property bindings for DOM properties that normally require sanitization, such as innerHTML, src, href and others. When an attacker can control the value assigned to a two‑way bound property, the framework emits the property setter without applying the sanitizer, enabling execution of arbitrary client‑side script. This flaw results in a client‑side XSS vulnerability manifested when sensitive DOM properties are bound two‑ways rather than one‑way, exposing the application to script injection attacks that can compromise user data or session state.

Affected Systems

The vulnerability affects all Angular versions older than 22.0.1, 21.2.17, or 20.3.25. These releases are associated with the @angular/compiler package. Applications built with Angular 22, 21, or 20 that have not applied these specific patch releases are potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. The likely attack vector involves an attacker who can supply or manipulate the value of a two‑way bound property, such as through untrusted user input, template modifications, or prototype pollution. Because the sanitization is bypassed only for two‑way bindings, mitigations that enforce one‑way binding or explicit sanitization reduce the risk.

Generated by OpenCVE AI on June 22, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Angular to version 22.0.1, 21.2.17, or 20.3.25 or newer to apply the fixed compiler sanitization logic.
  • In existing applications, replace any two‑way bindings on sensitive DOM properties (e.g., innerHTML, srcdoc, src, href, data, sandbox) with one‑way bindings or explicitly apply Angular's DomSanitizer.
  • Review application templates to ensure no accidental use of two‑way binding on properties that require sanitization, and remove or sanitize any such bindings.

Generated by OpenCVE AI on June 22, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-58w9-8g37-x9v5 @angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
History

Fri, 03 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate


Mon, 22 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Angular
Angular angular
Vendors & Products Angular
Angular angular

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Title Angular: Two-Way Property Binding Sanitization Bypass (XSS)
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T15:54:58.231Z

Reserved: 2026-06-12T17:13:32.279Z

Link: CVE-2026-54265

cve-icon Vulnrichment

Updated: 2026-06-22T15:54:54.469Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T15:27:38Z

Links: CVE-2026-54265 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T17:45:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')