CVE-2026-54265
Received Received - Intake
DOM Property Sanitization Bypass in Angular

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-54265
EUVD
EUVD-2026-38268
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
angular angular From 20.0.0 (inc) to 22.0.0 (inc)
angular angular 22.0.1
angular angular 21.2.17
angular angular 20.3.25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54265 is a security vulnerability in the Angular framework's @angular/compiler package that allows bypassing DOM property sanitization through two-way property bindings.

Specifically, when sensitive native DOM properties such as innerHTML, srcdoc, src, href, data, or sandbox are bound using two-way binding syntax (e.g., [(innerHTML)]="value"), the Angular template compiler fails to apply the proper sanitization.

This means that native two-way DOM bindings are emitted without the required sanitizer function, whereas equivalent one-way bindings are properly sanitized.

As a result, an attacker who can control the value of a two-way bound sensitive property can bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS) attacks.

Impact Analysis

This vulnerability can allow an attacker who controls user input bound to sensitive two-way DOM properties to inject malicious scripts into a web application.

Because the sanitization is bypassed, the injected scripts can execute in the context of the victim's browser, leading to Cross-Site Scripting (XSS) attacks.

  • Potential impacts include theft of user data, session hijacking, defacement of the website, or distribution of malware.
  • Users of affected Angular versions who bind user-controlled input to sensitive properties without additional manual sanitization are at risk.

The vulnerability has a moderate severity with a CVSS score of 5.3.

Detection Guidance

This vulnerability involves the use of two-way property bindings in Angular templates on sensitive native DOM properties such as innerHTML, srcdoc, src, href, data, or sandbox that bypass sanitization. Detection involves identifying Angular applications using vulnerable versions prior to 22.0.1, 21.2.17, or 20.3.25 and inspecting their source code or compiled templates for two-way bindings on these sensitive properties.

There are no specific network detection commands provided in the resources. However, you can scan your codebase for patterns like [(innerHTML)] or bindon-innerHTML to find potentially vulnerable bindings.

  • Use grep or similar tools to search your Angular project files for two-way bindings on sensitive properties, for example:
  • grep -r '\[\(innerHTML\)\]' ./src
  • grep -r 'bindon-innerHTML' ./src

Additionally, verify the Angular version used in your project to check if it is vulnerable by running commands like:

  • npm list @angular/compiler
  • or check package.json for the @angular/compiler version.
Mitigation Strategies

The primary mitigation step is to upgrade the Angular framework's @angular/compiler package to a patched version where this vulnerability is fixed.

  • Upgrade to Angular versions 22.0.1, 21.2.17, or 20.3.25 or later, which include the fix for this vulnerability.

If upgrading immediately is not possible, avoid using two-way bindings on sensitive DOM properties such as innerHTML, srcdoc, src, href, data, or sandbox, or manually sanitize any user-controlled input bound to these properties.

  • Review and refactor Angular templates to replace two-way bindings on sensitive properties with one-way bindings or ensure proper sanitization.

Monitor official Angular security advisories and apply patches as soon as they become available.

Compliance Impact

This vulnerability allows attackers to bypass Angular's built-in sanitization logic for certain DOM properties, potentially leading to client-side Cross-Site Scripting (XSS) attacks.

XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, and injection of malicious scripts, which may compromise the confidentiality and integrity of personal data.

Such security weaknesses can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive information from unauthorized access or disclosure.

Therefore, failure to patch this vulnerability could result in non-compliance with these standards due to inadequate protection against client-side attacks that expose user data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54265. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart