A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.
In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.
When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.
When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:
- Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
- Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
- Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.
<script> elements within its templates.href or xlink:href attributes of those SVG scripts.Until the patch is applied, developers should:
[attr.href]) for SVG <script> elements.| Score | Percentile |
|---|---|
| 0.01% | 1.22% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.5 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-jrmj-c5cx-3cw6 ↗ |
| CVE | CVE-2026-22610 ↗ |
| CWE id | Name |
|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @angular/compiler | >= 21.1.0-next.0, < 21.1.0-rc.0 | 21.1.0-rc.0 | — |
| npm | @angular/core | >= 21.1.0-next.0, < 21.1.0-rc.0 | 21.1.0-rc.0 | — |
| npm | @angular/compiler | >= 21.0.0-next.0, < 21.0.7 | 21.0.7 | — |
| npm | @angular/core | >= 21.0.0-next.0, < 21.0.7 | 21.0.7 | — |
| npm | @angular/compiler | >= 20.0.0-next.0, < 20.3.16 | 20.3.16 | — |
| npm | @angular/core | >= 20.0.0-next.0, < 20.3.16 | 20.3.16 | — |
| npm | @angular/compiler | >= 19.0.0-next.0, < 19.2.18 | 19.2.18 | — |
| npm | @angular/core | >= 19.0.0-next.0, < 19.2.18 | 19.2.18 | — |
| npm | @angular/compiler | <= 18.2.14 | — | — |
| npm | @angular/core | <= 18.2.14 | — | — |