CVE-2026-22610
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Angular's Template Compiler where the sanitization schema fails to properly handle href and xlink:href attributes in SVG <script> elements. This allows attackers to inject malicious scripts that execute in users' browsers. All Angular applications using affected versions are vulnerable if they process untrusted template content.
💻 Affected Systems
- Angular
📦 What is this software?
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
Angular by Angular
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.
Likely Case
Attackers inject malicious scripts through user-controlled inputs that get processed by Angular templates, leading to session hijacking or credential theft.
If Mitigated
With proper input validation and output encoding, the risk is reduced but not eliminated since the vulnerability is in Angular's core sanitization.
🎯 Exploit Status
Exploitation requires attacker to inject malicious SVG script elements into Angular templates. The vulnerability is in Angular's core sanitization logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.2.18, 20.3.16, 21.0.7, or 21.1.0-rc.0
Vendor Advisory: https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
Restart Required: Yes
Instructions:
1. Identify your Angular version. 2. Update to the patched version matching your major version: 19.x → 19.2.18, 20.x → 20.3.16, 21.x → 21.0.7 or 21.1.0-rc.0. 3. Run npm update @angular/core. 4. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Input Sanitization
allImplement strict input validation and sanitization for all user-controlled content before it reaches Angular templates.
Content Security Policy
allImplement strict Content Security Policy headers to mitigate script execution impact.
Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Implement strict Content Security Policy with script-src directives
- Add additional sanitization layers for all user inputs before Angular template processing
🔍 How to Verify
Check if Vulnerable:
Check package.json for Angular version. If version is below 19.2.18, 20.3.16, 21.0.7, or not 21.1.0-rc.0, you are vulnerable.Check Version:
npm list @angular/coreVerify Fix Applied:
Verify Angular version after update matches patched versions. Test with known safe SVG script payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG content in requests
- Script execution errors in browser console logs
Network Indicators:
- Requests containing SVG script elements with href/xlink:href attributes
SIEM Query:
source="web_server" AND (uri="*.svg" OR body CONTAINS "<script" AND body CONTAINS "href=")