CVE-2026-22610

EUVD-2026-1698

10.01.2026, 04:16

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
angular	angular	𝑥 ≤ 18.2.14
angular	angular	19.0.0 ≤ 𝑥 < 19.2.18
angular	angular	20.0.0 ≤ 𝑥 < 20.3.16
angular	angular	21.0.0 ≤ 𝑥 < 21.0.7
angular	angular	21.1.0:next0
angular	angular	21.1.0:next1
angular	angular	21.1.0:next2
angular	angular	21.1.0:next3
angular	angular	21.1.0:next4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56

https://github.com/angular/angular/pull/66318

https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6