CVE-2026-22610
EUVD-2026-169810.01.2026, 04:16
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| angular | angular | 𝑥 ≤ 18.2.14 |
| angular | angular | 19.0.0 ≤ 𝑥 < 19.2.18 |
| angular | angular | 20.0.0 ≤ 𝑥 < 20.3.16 |
| angular | angular | 21.0.0 ≤ 𝑥 < 21.0.7 |
| angular | angular | 21.1.0:next0 |
| angular | angular | 21.1.0:next1 |
| angular | angular | 21.1.0:next2 |
| angular | angular | 21.1.0:next3 |
| angular | angular | 21.1.0:next4 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| Siemens | RUGGEDCOM RST2428P | 𝑥 < V4.0 | ADP |
| Siemens | SIDIS Prime | 𝑥 < V4.0.800 | ADP |
References