CVE-2026-22610
Cross-Site Scripting in Angular Template Compiler via SVG Attributes
Publication date: 2026-01-10
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| angular | angular | to 18.2.14 (inc) |
| angular | angular | From 19.0.0 (inc) to 19.2.18 (exc) |
| angular | angular | From 20.0.0 (inc) to 20.3.16 (exc) |
| angular | angular | From 21.0.0 (inc) to 21.0.7 (exc) |
| angular | angular | 21.1.0 |
| angular | angular | 21.1.0 |
| angular | angular | 21.1.0 |
| angular | angular | 21.1.0 |
| angular | angular | 21.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22610 is a high-severity Cross-Site Scripting (XSS) vulnerability in the Angular Template Compiler. It occurs because Angular's internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as Resource URL contexts. This misclassification allows attackers to inject malicious scripts via these attributes when user-controlled data is bound to them, leading to arbitrary JavaScript execution in the victim's browser. Exploitation requires that the application uses SVG <script> elements with dynamic binding on these attributes and that the bound data comes from untrusted sources. [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution within a victim's browser session. An attacker exploiting this flaw could perform session hijacking by stealing cookies, localStorage, or authentication tokens, exfiltrate sensitive data, and perform unauthorized actions on behalf of the authenticated user. The impact affects confidentiality, integrity, and availability of the affected application and its users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning your Angular application code for usage of SVG <script> elements with dynamic bindings on the href or xlink:href attributes, especially where these attributes are bound to user-controlled or untrusted inputs. There are no specific network detection commands provided, but code review or static analysis tools can be used to identify such patterns. For example, searching your codebase with commands like `grep -r '<script [^>]*\[attr\.href\]' ./` or `grep -r '<script [^>]*\[attr\.xlink:href\]' ./` can help locate potentially vulnerable bindings. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Avoid using dynamic Angular template bindings on SVG <script> element href and xlink:href attributes. 2) Strictly validate and whitelist any dynamic input that might be bound to these attributes on the server side or before template binding to ensure only trusted URLs are used. 3) Upgrade Angular packages @angular/compiler and @angular/core to patched versions 19.2.18, 20.3.16, 21.0.7, or 21.1.0-rc.0 as soon as possible to apply the official fix. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables Cross-Site Scripting (XSS) attacks that can lead to session hijacking, data exfiltration, and unauthorized actions on behalf of authenticated users. Such security breaches can compromise the confidentiality and integrity of user data, potentially violating compliance requirements of standards like GDPR and HIPAA that mandate protection of personal and sensitive information. Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations by exposing protected data and failing to maintain adequate security controls. [1]