Skip to main content

Angular CVE-2026-22610

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-01-10 security-advisories@github.com GHSA-jrmj-c5cx-3cw6
XSS Angular
8.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
7.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jun 02, 2026 - 14:28 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 02, 2026 - 14:28 vuln.today
Analysis Updated
Jun 02, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 02, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jun 02, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Jun 02, 2026 - 14:22 NVD
6.1 (MEDIUM) 8.5 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 23, 2026 - 18:23 nvd
Patch available
CVE Published
Jan 10, 2026 - 04:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

AnalysisAI

Cross-site scripting in Angular's Template Compiler allows attackers to inject arbitrary JavaScript through unsanitized href and xlink:href attributes on SVG <script> elements bound to untrusted data. Affects Angular versions prior to 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, with no public exploit identified at time of analysis despite a very low EPSS score of 0.01%. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Angular app binding SVG script href
Delivery
Inject malicious URL via user input
Exploit
Victim loads vulnerable view
Execution
Angular emits weak URL sanitizer
Persist
Browser fetches/executes attacker script
Impact
Steal tokens and perform actions as user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires three concrete prerequisites confirmed by the vendor advisory: (1) the target Angular application must explicitly include SVG <script> elements inside its component templates; (2) the application must use Angular property/attribute binding (e.g., [attr.href]="…" or [attr.xlink:href]="…") on those SVG script attributes rather than static strings; and (3) the bound value must derive from an untrusted source such as URL query parameters, form input, database entries, or third-party API responses. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H) yields a base score of 8.5, reflecting network reach, low complexity, low-privileged attacker, and required active user interaction with high confidentiality/integrity/availability impact on the vulnerable component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a malicious payload (such as a data:text/javascript URI or a URL pointing to an attacker-controlled external script) into an input field, URL parameter, or API response that the target Angular application binds into the href or xlink:href attribute of an SVG <script> element. When a victim user navigates to the affected page, Angular emits the URL with the weaker non-resource sanitizer, the browser loads and executes the attacker's JavaScript in the victim's session, enabling cookie/token theft, data exfiltration, and unauthorized state-changing actions on the user's behalf. …
Remediation Vendor-released patches are available: upgrade @angular/core and @angular/compiler to 19.2.18, 20.3.16, 21.0.7, or 21.1.0-rc.0 depending on the release line in use, as documented in https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6 and the fixing commit https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all applications using Angular versions prior to 19.2.18, 20.3.16, 21.0.7, or 21.1.0-rc.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

CVE-2026-22610 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy