CVE-2026-22610

Angular contains an XSS vulnerability in the Template Compiler’s handling of SVG scripts where href/xlink:href are not treated as Resource URLs. Affected: Angular pre-patched releases before 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0. Impact is in the rendering/templating path; patch versions are ...

CVE-2026-22610 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

CVE-2026-22610 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

EUVD-2026-1698

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting XSS vulnerability has been identified in the Angular Template Compiler. The...

Angular 跨站脚本漏洞

Angular is Angular open source a development platform . Used to build mobile and desktop Web applications using Typescript / JavaScript and other languages. A cross-site scripting vulnerability exists in Angular versions prior to 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0 that stems from an intern...

4science_ng-dynamic-forms (>=19.0.0 <=19.0.3), @123samir/gonna-build-a-mountain-po-ts-lint (>=6.0.0 <=10.0.0-rc.1) +5269 more potentially affected by CVE-2026-22610 via @angular/core (>=0.0.0-0 <=18.2.14)

@angular/core NPM version =0.0.0-0, =19.0.0, =6.0.0, =0.0.0, =0.2.0, =3.0.2, =3.0.3 - @aakashsuryawanshi/ng-idle =1.0.0 - @aalsi/ap-lib-demo =0.0.3-SNAPSHOT - @abaza738/angular-editor =1.0.0 - @abdos/ngx-tinzert =0.0.0 - @abdullk00138/watch-list =1.0.0 - @abdullk00138/webui =1.0.2 -...

GHSA-JRMJ-C5CX-3CW6 Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

A Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. In a standard security model,...

Cross-site Scripting (XSS)

Overview @angular/core is a package that lets you write client-side web applications as if you had a smarter browser. It also lets you use HTML as your template language and lets you extend HTML’s syntax to express your application’s components clearly and succinctly. Affected versions of this...

4science_ng-dynamic-forms (>=19.0.0 <=19.0.3), @123samir/gonna-build-a-mountain-po-ts-lint (>=6.0.0 <=10.0.0-rc.1) +4555 more potentially affected by CVE-2026-22610 via @angular/compiler (>=0.0.0-0 <=18.2.14)

@angular/compiler NPM version =0.0.0-0, =19.0.0, =6.0.0, =0.0.0, =0.2.0, =3.0.2, =3.0.3 - @aakashsuryawanshi/ng-idle =1.0.0 - @aalsi/ap-lib-demo =0.0.3-SNAPSHOT - @abaza738/angular-editor =1.0.0 - @abdos/ngx-tinzert =0.0.0 - @abdullk00138/watch-list =1.0.0 - @abdullk00138/webui =1.0.2 -...

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

A Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. In a standard security model,...

CVE-2025-23658

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Tauhidul Alam Advanced Angular Contact Form advanced-angular-contact-form allows Reflected XSS.This issue affects Advanced Angular Contact Form: from n/a through = 1.1.0...

PT-2026-2230

Name of the Vulnerable Software and Affected Versions Angular versions prior to 19.2.18 Angular versions prior to 20.3.16 Angular versions prior to 21.0.7 Angular version 21.1.0-rc.0 Description Angular is a development platform for building mobile and desktop web applications using...

Malicious Package

Overview angular-trackjs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Server-Side Request Forgery (SSRF)

@angular/ssr is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper URL resolution in the createRequestUrl function that treats paths beginning with // or \ as schema-relative URLs, which allows an attacker to override the intended base URL and force the server to...

CVE-2025-66035

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential...

CVE-2025-66412

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. It occurs because the...

Linux Distros Unpatched Vulnerability : CVE-2025-66412

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, an...

EUVD-2025-200713

Malicious code in angular-trackjs npm...

MAL-2025-191952 Malicious code in angular-trackjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3dde8ff08d0afb7a55d925331147c0b3f0dfac896838dcb69f61986b164e1753 The package angular-trackjs was found to contain malicious code. Source: ghsa-malware b4da35ac01bfc9a066ed18d5c2e49c7691f1e8378db128dfe45dd6ab15d49e5...

Malicious code in angular-trackjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3dde8ff08d0afb7a55d925331147c0b3f0dfac896838dcb69f61986b164e1753 The package angular-trackjs was found to contain malicious code. Source: ghsa-malware b4da35ac01bfc9a066ed18d5c2e49c7691f1e8378db128dfe45dd6ab15d49e5...