CVE-2026-22610: Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Published Jan 9, 2026
·
Updated

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to: - Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens. - Data Exfiltration: Accessing and transmitting sensitive information displayed within the application. - Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

1. The victim application must explicitly use SVG <script> elements within its templates. 2. The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts. 3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches - 19.2.18 - 20.3.16 - 21.0.7 - 21.1.0-rc.0

Workarounds Until the patch is applied, developers should:

- Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements. - Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

- https://github.com/angular/angular/pull/66318

Other sources

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

MITRE

Affected Software

19 affected componentsFixes available
npm/@angular/core<=18.2.14
npm/@angular/compiler<=18.2.14
npm/@angular/core>=19.0.0-next.0<19.2.18
19.2.18
npm/@angular/compiler>=19.0.0-next.0<19.2.18
19.2.18
npm/@angular/core>=20.0.0-next.0<20.3.16
20.3.16
npm/@angular/compiler>=20.0.0-next.0<20.3.16
20.3.16
npm/@angular/core>=21.0.0-next.0<21.0.7
21.0.7
npm/@angular/compiler>=21.0.0-next.0<21.0.7
21.0.7
npm/@angular/core>=21.1.0-next.0<21.1.0-rc.0
21.1.0-rc.0
npm/@angular/compiler>=21.1.0-next.0<21.1.0-rc.0
21.1.0-rc.0
angular Angular Node.js<=18.2.14
angular Angular Node.js>=19.0.0<19.2.18
angular Angular Node.js>=20.0.0<20.3.16
angular Angular Node.js>=21.0.0<21.0.7
angular Angular Node.js=21.1.0-next0
angular Angular Node.js=21.1.0-next1
angular Angular Node.js=21.1.0-next2
angular Angular Node.js=21.1.0-next3
angular Angular Node.js=21.1.0-next4

Remediation

Patch Available

https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56

Event History

Jan 9, 2026
Advisory Published
via GitHub·06:52 PM
Data Sourced
via GitHub·06:52 PM
DescriptionWeaknessAffected Software
Jan 10, 2026
CVE Published
via MITRE·03:35 AM
Data Sourced
via MITRE·03:35 AM
DescriptionWeakness
Data Sourced
via NVD·04:16 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:16 AM
RemedyAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-22610?

CVE-2026-22610 is classified as a Medium severity Cross-Site Scripting (XSS) vulnerability.

2

How do I fix CVE-2026-22610?

To fix CVE-2026-22610, upgrade to Angular version 19.2.18 or later for both @angular/core and @angular/compiler.

3

What products are affected by CVE-2026-22610?

CVE-2026-22610 affects versions up to 18.2.14 of @angular/core and @angular/compiler.

4

What kind of vulnerability is CVE-2026-22610?

CVE-2026-22610 is a Cross-Site Scripting (XSS) vulnerability that impacts the Angular Template Compiler.

5

What attributes are improperly sanitized in CVE-2026-22610?

CVE-2026-22610 improperly sanitizes the 'href' and 'xlink:href' attributes of SVG <script> elements as a Resource URL context.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203