CVE-2026-22610

MEDIUM

Angular Compiler < 21.1.0-rc.0 - XSS

Title source: rule

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

Exploits (1)

nomisec SCANNER
by ashizZz · poc
https://github.com/ashizZz/CVE-2026-22610

References (3)

Scores

CVSS v3 6.1
EPSS 0.0002
EPSS Percentile 3.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (4)
angular/angular 21.1.0 next0 (5 CPE variants)
angular/angular < 18.2.14
angular/compiler 21.1.0-next.0 - 21.1.0-rc.0npm
angular/core 21.1.0-next.0 - 21.1.0-rc.0npm
Published Jan 10, 2026
Tracked Since Feb 18, 2026