VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ms76-c5dn-23hx

Essentials
Severities (30)
References (9)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ms76-c5dn-23hx
Aliases	CVE-2026-22610 GHSA-jrmj-c5cx-3cw6
Summary	Angular has XSS Vulnerability via Unsanitized SVG Script Attributes A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the `href` and `xlink:href` attributes of SVG `<script>` elements as a Resource URL context. In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections. When template binding is used to assign user-controlled data to these attributes for example, `<script [attr.href]="userInput">` the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a `data:text/javascript` URI or a link to an external malicious script. ### Impact When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to: - Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens. - Data Exfiltration: Accessing and transmitting sensitive information displayed within the application. - Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user. ### Attack Preconditions 1. The victim application must explicitly use SVG `<script>` elements within its templates. 2. The application must use property or attribute binding (interpolation) for the `href` or `xlink:href` attributes of those SVG scripts. 3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses). ### Patches - 19.2.18 - 20.3.16 - 21.0.7 - 21.1.0-rc.0 ### Workarounds Until the patch is applied, developers should: - Avoid Dynamic Bindings: Do not use Angular template binding (e.g., `[attr.href]`) for SVG `<script>` elements. - Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template. ### Resources - https://github.com/angular/angular/pull/66318
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22610.json
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
epss	0.00016	https://api.first.org/data/v1/epss?cve=CVE-2026-22610
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-jrmj-c5cx-3cw6
cvssv4	8.5	https://github.com/angular/angular
generic_textual	HIGH	https://github.com/angular/angular
cvssv4	8.5	https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
generic_textual	HIGH	https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
ssvc	Track	https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
cvssv4	8.5	https://github.com/angular/angular/pull/66318
generic_textual	HIGH	https://github.com/angular/angular/pull/66318
ssvc	Track	https://github.com/angular/angular/pull/66318
cvssv3.1_qr	HIGH	https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
cvssv4	8.5	https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
generic_textual	HIGH	https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
ssvc	Track	https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
cvssv4	8.5	https://nvd.nist.gov/vuln/detail/CVE-2026-22610
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-22610

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22610.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-22610
		https://github.com/angular/angular
		https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
		https://github.com/angular/angular/pull/66318
		https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
		https://nvd.nist.gov/vuln/detail/CVE-2026-22610
2428424		https://bugzilla.redhat.com/show_bug.cgi?id=2428424
GHSA-jrmj-c5cx-3cw6		https://github.com/advisories/GHSA-jrmj-c5cx-3cw6

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22610.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:29:54Z/ Found at https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular/pull/66318

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:29:54Z/ Found at https://github.com/angular/angular/pull/66318

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-12T17:29:54Z/ Found at https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-22610

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.03649
EPSS Score	0.00016
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:27.691565+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-jrmj-c5cx-3cw6/GHSA-jrmj-c5cx-3cw6.json	38.0.0