CVE-2026-44643
Received Received - Intake
Code Execution in Angular Expressions via Sandbox Escape

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-44643
EUVD
EUVD-2026-29078
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
peerigon angular_expressions to 1.5.2 (exc)
peerigon angular_expressions 1.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote code execution by bypassing sandbox protections, which can lead to unauthorized access and control over the affected system.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data security and protection against unauthorized access.

Failure to patch this vulnerability could result in violations of these regulations due to compromised confidentiality, integrity, and availability of sensitive data.

Executive Summary

The CVE-2026-44643 vulnerability affects the angular-expressions npm package versions 1.5.1 and earlier. It allows an attacker to write malicious expressions that bypass the sandbox protections, enabling the execution of arbitrary code on the system. This means that the attacker can run any code they want, potentially taking full control of the affected system. The vulnerability is due to improper neutralization of directives in dynamically evaluated code, classified under CWE-95.

Impact Analysis

This vulnerability can have a critical impact as it allows remote code execution without any user interaction or privileges required. An attacker exploiting this flaw could gain full system access, potentially leading to data theft, system compromise, or further attacks within the network.

Detection Guidance

This vulnerability affects the npm package angular-expressions versions 1.5.1 and earlier. Detection involves identifying if your system or network is running a vulnerable version of this package.

You can check the installed version of angular-expressions in your project by running the following command in your project directory:

  • npm list angular-expressions

If the version is 1.5.1 or earlier, your system is vulnerable.

Additionally, monitoring for suspicious activity involving Angular expressions that attempt to escape sandbox restrictions or execute arbitrary code may help detect exploitation attempts, but no specific detection commands are provided.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the angular-expressions package to version 1.5.2 or later, where the issue is fixed.

Ensure that your project dependencies are updated by running:

After upgrading, verify that the new version is installed by running:

  • npm list angular-expressions

Additionally, review your codebase for any use of Angular expressions that could be exploited and apply best practices to avoid executing untrusted expressions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart