CVE-2026-22610: Angular has XSS Vulnerability via Unsanitized SVG Script Attributes
(updated )
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.
In a standard security model, attributes that can load and execute code (like a script’s source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular’s built-in security protections.
When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.
References
- cert-portal.siemens.com/productcert/html/ssa-253495.html
- cert-portal.siemens.com/productcert/html/ssa-485750.html
- github.com/advisories/GHSA-jrmj-c5cx-3cw6
- github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
- github.com/angular/angular/pull/66318
- github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
- nvd.nist.gov/vuln/detail/CVE-2026-22610
Code Behaviors & Features
Detect and mitigate CVE-2026-22610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →