Which versions of angular-expressions are affected by CVE-2026-44643?

angular-expressions library versions 1.5.1 and earlier contain a critical remote code execution vulnerability allowing unauthenticated attackers to bypass security sandbox protections and execute…. A patch is available.

Is there a public PoC exploit available for CVE-2026-44643?

Yes, a public proof-of-concept exploit is available for CVE-2026-44643. Prioritise patching immediately. EPSS: 0.1%.

angular-expressions CVE-2026-44643

Q: What is the CVSS score of CVE-2026-44643?

CVE-2026-44643 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-29078 CRITICAL

Eval Injection (CWE-95)

2026-05-11 GitHub_M

GHSA-pw8r-6689-xvf4

RCE Code Injection

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 11, 2026 - 18:01 vuln.today

Analysis Generated

May 11, 2026 - 18:01 vuln.today

Patch available

May 11, 2026 - 17:17 EUVD

CVSS changed

May 11, 2026 - 16:22 NVD

9.3 (CRITICAL)

CVE Published

May 11, 2026 - 14:33 nvd

CRITICAL 9.3

CVE Published

May 11, 2026 - 14:33 nvd

UNKNOWN (no severity yet)

DescriptionNVD

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.

AnalysisAI

Remote code execution in angular-expressions versions ≤1.5.1 allows unauthenticated network attackers to escape the expression sandbox via malicious filter payloads and execute arbitrary system commands with no user interaction required. CVSS 9.3 (Critical) with confirmed public exploit code available. …

RemediationAI

Within 24 hours: Inventory all applications and dependencies using angular-expressions ≤1.5.1 and restrict network access to affected systems. Within 7 days: Upgrade angular-expressions to version 1.5.2 or later across all production, staging, and development environments; validate upgrades in non-production first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-44643 vulnerability details – vuln.today

Back

angular-expressions CVE-2026-44643

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

angular-expressions CVE-2026-44643

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code