CVE-2026-52725
Received Received - Intake
Script Injection in Angular Framework

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-52725
EUVD
EUVD-2026-38261
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
angular core to 22.0.0-rc.2 (exc)
angular core to 21.2.15 (exc)
angular core to 20.3.22 (exc)
angular core to 18.2.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52725 is a security vulnerability in the Angular framework's @angular/core package that allows attackers to bypass script-execution restrictions during dynamic component creation.

Specifically, the vulnerability arises because the createComponent function fails to reject mounting components directly onto <script> tags or namespaced script elements like <svg:script>. This enables attackers who can control the host element or selector parameter passed to createComponent to initialize or mount Angular components on script-executing tags.

As a result, attackers can execute untrusted code or perform client-side Cross-Site Scripting (XSS) attacks by injecting malicious scripts through these components.

Impact Analysis

If exploited, this vulnerability can allow malicious actors to execute arbitrary JavaScript code in the context of the user's browser.

  • Execution of untrusted scripts leading to Cross-Site Scripting (XSS) attacks.
  • Potential session hijacking by stealing authentication tokens or cookies.
  • Exposure of sensitive user data.
  • Unauthorized actions performed on behalf of the user.

The vulnerability affects Angular applications that dynamically create components using user-controlled inputs without proper sanitization, increasing the risk of exploitation.

Detection Guidance

This vulnerability involves the dynamic creation of Angular components mounted onto <script> or namespaced script elements, which can lead to script execution or XSS. Detection involves identifying if your Angular application uses the createComponent method with user-controlled inputs that could mount components onto script tags.

Since this is a code-level vulnerability, detection typically requires code review or runtime monitoring rather than network commands. You should audit your Angular codebase for usages of createComponent where the host element or selector parameter might be influenced by untrusted input.

No specific network or system commands are provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

The primary mitigation step is to upgrade the @angular/core package to a patched version where this vulnerability is fixed. The fixed versions are 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Additionally, ensure that any dynamic component creation using createComponent does not mount components onto <script> or namespaced script elements. In development mode, the patched Angular framework throws runtime errors if such mounting is attempted, helping to catch unsafe usage.

Review and sanitize any user-controlled inputs that influence the host element or selector parameters passed to createComponent to prevent attackers from injecting malicious script-executing hosts.

Compliance Impact

The vulnerability in Angular's @angular/core package allows attackers to execute untrusted scripts via Cross-Site Scripting (XSS) by mounting components onto script elements. This can lead to session hijacking, sensitive data exposure, or unauthorized user actions.

Such security issues can impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

If exploited, this vulnerability could result in exposure of personal data or unauthorized actions within affected applications, potentially violating data protection requirements and leading to non-compliance.

Therefore, addressing this vulnerability by applying the provided patches is important to maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart