CVE-2026-44643
CRITICALAngular Expressions - Remote Code Execution using filters
Title source: cnaDescription
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/peerigon/angular-expressions/security/advisories/GHSA-pw8r-6689-xvf4
Scores
CVSS v3
10.0
EPSS
0.0011
EPSS Percentile
28.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-95
Status
published
Products (2)
npm/angular-expressions
0 - 1.5.2npm
peerigon/angular-expressions
< 1.5.2 (2 CPE variants)
Published
May 11, 2026
Tracked Since
May 11, 2026