Angular Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-22610 - Vulnerability Database

Angular

Angular Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2026-22610

Medium

Reference: CVE-2026-22610

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-22610

Title: Angular Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18 20.3.16 21.0.7 and 21.1.0-rc.0 a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angulars internal sanitization schema fails to recognize the href and xlink:href attributes of SVG ltscriptgt elements as a Resource URL context. This issue has been patched in versions 19.2.18 20.3.16 21.0.7 and 21.1.0-rc.0.