CVE-2026-22610

Published: Jan 10, 2026Modified: Jun 2, 2026

8.5

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

Affected (9)

Products: Angular: Angular

Angular

1 product

Angular

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Angular Angular	Up to 18.2.14
Angular Angular	From 19.0.0 to 19.2.18
Angular Angular	From 20.0.0 to 20.3.16
Angular Angular	From 21.0.0 to 21.0.7
Angular Angular	Version 21.1.0 next0
Angular Angular	Version 21.1.0 next1
Angular Angular	Version 21.1.0 next2
Angular Angular	Version 21.1.0 next3
Angular Angular	Version 21.1.0 next4