Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (core version) |
Remediation Possible** |
| CVE-2026-54267 |
 High |
8.1 |
core-15.2.2.tgz |
Direct |
https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25 |
❌ |
| CVE-2026-27970 |
High |
8.1 |
core-15.2.2.tgz |
Direct |
@angular/core - 20.3.17,@angular/core - 19.2.19,@angular/core - 21.1.6,https://github.com/angular/angular.git - v21.2.0,https://github.com/angular/angular.git - v20.3.17,https://github.com/angular/angular.git - v19.2.19,https://github.com/angular/angular.git - v21.1.5 |
❌ |
| CVE-2026-22610 |
High |
8.0 |
core-15.2.2.tgz |
Direct |
angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7 |
❌ |
| CVE-2026-52725 |
 Medium |
5.4 |
core-15.2.2.tgz |
Direct |
@angular/core - 19.2.23,@angular/core - 20.3.22,@angular/core - 21.2.15 |
❌ |
| CVE-2026-50557 |
Medium |
5.4 |
core-15.2.2.tgz |
Direct |
https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v20.3.22,https://github.com/angular/angular.git - v19.2.22 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-54267
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via "provideClientHydration()". During SSR, Angular serializes the application's runtime state (such as cached "HttpClient" responses) and outputs it into the HTML stream as a "<script>" tag with a predictable identifier: <script type="application/json" id="ng-state"> {"some-api-url": {"body": ...}} </script>During client bootstrap, Angular recovers this state by looking up the element via "document.getElementById('ng-state')" and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector ("ng-state"), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as "id" (e.g., "<div [id]="userInput">" or "") before the genuine "<script>" tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls "document.getElementById('ng-state')", the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. Impact By clobbering the state element, the attacker can inject a custom JSON payload into Angular's "TransferState" cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache. 1. The attacker injects a clobbered "ng-state" element containing custom JSON. 2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice. 3. During client-side initialization, Angular's "HttpClient" checks "TransferState" before making requests. Finding the poisoned key, "HttpClient" returns the forged response instantly instead of requesting the genuine backend API. Depending on how the application processes and renders the affected API response, this can lead to: * DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings. * Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads. * UI Hijacking and redirection by spoofing configuration endpoints. Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 Workarounds If you cannot immediately update to a patched Angular version, apply the following workarounds: A. Avoid Dynamic/User-Controlled IDs Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix: <div [id]="userControlledInput">... <div [id]="'safe-prefix-' + userControlledInput">... B. Configure a Custom Application ID Declaring a unique, non-predictable "APP_ID" changes the ID suffix of the state element, making it harder for attackers to predict and target: // app.config.ts import { APP_ID } from '@angular/core'; import { provideClientHydration } from '@angular/platform-browser'; export const appConfig = { providers: [ { provide: APP_ID, useValue: 'unique-obfuscated-app-id' }, provideClientHydration() ] }; This changes the state element lookup ID from "ng-state" to "unique-obfuscated-app-id-state".
Publish Date: 2026-06-15
URL: CVE-2026-54267
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rgjc-h3x7-9mwg
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25
Step up your Open Source Security Game with Mend here
CVE-2026-27970
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
Publish Date: 2026-02-26
URL: CVE-2026-27970
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-prjf-86w9-mfqv
Release Date: 2026-02-26
Fix Resolution: @angular/core - 20.3.17,@angular/core - 19.2.19,@angular/core - 21.1.6,https://github.com/angular/angular.git - v21.2.0,https://github.com/angular/angular.git - v20.3.17,https://github.com/angular/angular.git - v19.2.19,https://github.com/angular/angular.git - v21.1.5
Step up your Open Source Security Game with Mend here
CVE-2026-22610
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-10
Fix Resolution: angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7
Step up your Open Source Security Game with Mend here
CVE-2026-52725
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
An issue in the "@angular/core" package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism ("createComponent") failed to reject mounting components directly onto a "<script>" or namespaced script element (such as ""svg:script" (svg:script)"). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to "createComponent" to initialize or mount an Angular component directly onto a "<script>" tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). Impact Any Angular application that registers dynamic components based on user-supplied parameters (like selectors or host elements) is vulnerable to this security bypass. Once exploited, this allows a malicious actor to mount a dynamic component on a script tag, bypassing core dynamic component creation safeguards to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist: 1. User-Controlled Host Selection: The application must accept user-controlled inputs that are passed as a selector/host element to "createComponent". 2. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the dynamic creation APIs. Patches * 22.0.0-rc.2 * 21.2.15 * 20.3.22 * 19.2.23
Publish Date: 2026-06-15
URL: CVE-2026-52725
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-692r-grfm-v8x7
Release Date: 2026-06-15
Fix Resolution: @angular/core - 19.2.23,@angular/core - 20.3.22,@angular/core - 21.2.15
Step up your Open Source Security Game with Mend here
CVE-2026-50557
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
An issue in the "@angular/compiler" and "@angular/core" packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., ""svg:script" (svg:script)" or "<:svg:script>") were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). Impact Any Angular application that compiles user-controlled templates at runtime, or relies on sanitization of namespaced elements/attributes, is vulnerable to this security bypass. Once exploited, this allows a malicious actor to inject a namespaced script element or dynamic attribute bindings, bypassing core sanitization constraints to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist: 1. User-Controlled Template Input: The application must accept user-controlled inputs that are directly processed by the Angular template compiler at runtime. 2. Namespace Parsing Support: The input structure must employ custom namespace prefixes (such as ""svg:script" (svg:script)") to evade standard tag-name blocklists/checks. 3. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the Angular compiler. Patches * 22.0.0-rc.2 * 21.2.15 * 20.3.22 * 19.2.23
Publish Date: 2026-06-15
URL: CVE-2026-50557
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f3m7-gqxr-g87x
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v20.3.22,https://github.com/angular/angular.git - v19.2.22
Step up your Open Source Security Game with Mend here
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
To optimize client-side bootstrap in Server-Side Rendered (SSR) environments, Angular supports Hydration via "provideClientHydration()". During SSR, Angular serializes the application's runtime state (such as cached "HttpClient" responses) and outputs it into the HTML stream as a "<script>" tag with a predictable identifier: <script type="application/json" id="ng-state"> {"some-api-url": {"body": ...}} </script>During client bootstrap, Angular recovers this state by looking up the element via "document.getElementById('ng-state')" and parsing its text content. Because the DOM element lookup for the state container is predictable and relies solely on the ID selector ("ng-state"), it is susceptible to DOM Clobbering. If the application binds untrusted user input or CMS content to element properties such as "id" (e.g., "<div [id]="userInput">" or "") before the genuine "<script>" tag is parsed by the browser, the attacker-controlled element takes precedence in the DOM lookup. During hydration, when Angular calls "document.getElementById('ng-state')", the browser returns the attacker's clobbered element. Angular then attempts to parse the text content or attributes of this clobbered element as JSON. Impact By clobbering the state element, the attacker can inject a custom JSON payload into Angular's "TransferState" cache. The most critical exploitation vector is poisoning the HTTP Transfer Cache. 1. The attacker injects a clobbered "ng-state" element containing custom JSON. 2. The JSON maps a key (representing a target API endpoint URL) to a malicious payload of the attacker's choice. 3. During client-side initialization, Angular's "HttpClient" checks "TransferState" before making requests. Finding the poisoned key, "HttpClient" returns the forged response instantly instead of requesting the genuine backend API. Depending on how the application processes and renders the affected API response, this can lead to: * DOM-based Cross-Site Scripting (XSS) if poisoned fields are rendered using unsafe bindings. * Privilege Escalation by spoofing user info or session details retrieved from poisoned API payloads. * UI Hijacking and redirection by spoofing configuration endpoints. Patched Versions * 22.0.1 * 21.2.17 * 20.3.25 Workarounds If you cannot immediately update to a patched Angular version, apply the following workarounds: A. Avoid Dynamic/User-Controlled IDs Avoid binding raw user-supplied values or dynamic CMS IDs directly to element attributes. If dynamic IDs are required, sanitize them or prepend a static safe prefix: <div [id]="userControlledInput">... <div [id]="'safe-prefix-' + userControlledInput">... B. Configure a Custom Application ID Declaring a unique, non-predictable "APP_ID" changes the ID suffix of the state element, making it harder for attackers to predict and target: // app.config.ts import { APP_ID } from '@angular/core'; import { provideClientHydration } from '@angular/platform-browser'; export const appConfig = { providers: [ { provide: APP_ID, useValue: 'unique-obfuscated-app-id' }, provideClientHydration() ] }; This changes the state element lookup ID from "ng-state" to "unique-obfuscated-app-id-state".
Publish Date: 2026-06-15
URL: CVE-2026-54267
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rgjc-h3x7-9mwg
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v21.2.17,https://github.com/angular/angular.git - v20.3.25
Step up your Open Source Security Game with Mend here
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
Publish Date: 2026-02-26
URL: CVE-2026-27970
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-prjf-86w9-mfqv
Release Date: 2026-02-26
Fix Resolution: @angular/core - 20.3.17,@angular/core - 19.2.19,@angular/core - 21.1.6,https://github.com/angular/angular.git - v21.2.0,https://github.com/angular/angular.git - v20.3.17,https://github.com/angular/angular.git - v19.2.19,https://github.com/angular/angular.git - v21.1.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-10
Fix Resolution: angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
An issue in the "@angular/core" package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism ("createComponent") failed to reject mounting components directly onto a "<script>" or namespaced script element (such as ""svg:script" (svg:script)"). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to "createComponent" to initialize or mount an Angular component directly onto a "<script>" tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). Impact Any Angular application that registers dynamic components based on user-supplied parameters (like selectors or host elements) is vulnerable to this security bypass. Once exploited, this allows a malicious actor to mount a dynamic component on a script tag, bypassing core dynamic component creation safeguards to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist: 1. User-Controlled Host Selection: The application must accept user-controlled inputs that are passed as a selector/host element to "createComponent". 2. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the dynamic creation APIs. Patches * 22.0.0-rc.2 * 21.2.15 * 20.3.22 * 19.2.23
Publish Date: 2026-06-15
URL: CVE-2026-52725
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-692r-grfm-v8x7
Release Date: 2026-06-15
Fix Resolution: @angular/core - 19.2.23,@angular/core - 20.3.22,@angular/core - 21.2.15
Step up your Open Source Security Game with Mend here
Vulnerable Library - core-15.2.2.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/core/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
An issue in the "@angular/compiler" and "@angular/core" packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements (e.g., ""svg:script" (svg:script)" or "<:svg:script>") were not properly identified as script elements by the Angular template preparser, allowing them to pass through template compilation without being stripped. Furthermore, security context schema mappings for element attributes did not consistently handle attributes within namespaced elements (like SVG and MathML), opening up gaps where malicious namespaced attributes could bypass runtime and compile-time sanitizers. Combined, these flaws enable an attacker who can inject or supply a template/tag structure with custom namespaces to bypass Angular's script-stripping logic and attribute sanitizers, leading to client-side Cross-Site Scripting (XSS). Impact Any Angular application that compiles user-controlled templates at runtime, or relies on sanitization of namespaced elements/attributes, is vulnerable to this security bypass. Once exploited, this allows a malicious actor to inject a namespaced script element or dynamic attribute bindings, bypassing core sanitization constraints to execute arbitrary JavaScript within the target user's browser context. This could lead to session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit these vulnerabilities, the following environment parameters and application states must all concurrently exist: 1. User-Controlled Template Input: The application must accept user-controlled inputs that are directly processed by the Angular template compiler at runtime. 2. Namespace Parsing Support: The input structure must employ custom namespace prefixes (such as ""svg:script" (svg:script)") to evade standard tag-name blocklists/checks. 3. Absence of Additional Context Sanitization: The application does not perform separate input sanitization before feeding values to the Angular compiler. Patches * 22.0.0-rc.2 * 21.2.15 * 20.3.22 * 19.2.23
Publish Date: 2026-06-15
URL: CVE-2026-50557
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f3m7-gqxr-g87x
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v21.2.15,https://github.com/angular/angular.git - v20.3.22,https://github.com/angular/angular.git - v19.2.22
Step up your Open Source Security Game with Mend here