Lucene search
K

11 matches found

RedhatCVE
RedhatCVE
added 5 days ago6 views

CVE-2026-54265

A flaw was found in Angular's @angular/compiler package. When a native DOM property requiring sanitization is bound using two-way binding syntax, the template compiler fails to apply the appropriate sanitizer. An attacker who controls the bound value can bypass Angular's built-in sanitization,...

6.1CVSS5.5AI score0.00195EPSS
Exploits0References6
NVD
NVD
added 2026/06/22 4:16 p.m.11 views

CVE-2026-54265

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property...

6.1CVSS0.00195EPSS
Exploits0References3
OSV
OSV
added 2026/06/22 4:16 p.m.4 views

DEBIAN-CVE-2026-54265

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 3:27 p.m.31 views

CVE-2026-54265 Angular: Two-Way Property Binding Sanitization Bypass (XSS)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property...

5.3CVSS0.00195EPSS
Exploits0References3
CVE
CVE
added 2026/06/22 3:27 p.m.70 views

CVE-2026-54265

The CVE-2026-54265 issue affects the Angular @angular/compiler, where two-way binding on sensitive native DOM properties (e.g., innerHTML, src, href, data, sandbox) can bypass the sanitizer resolution. Prior to versions 22.0.1, 21.2.17, and 20.3.25, the template compiler failed to apply the appro...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/06/20 5:48 a.m.7 views

Cross-Site Scripting (XSS)

Angular is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the Angular template compiler failing to apply the required sanitizer for sensitive native DOM properties used with two-way property bindings, which allows an attacker to bypass Angular's built-in DOM sanitization and...

6.1CVSS5.8AI score0.00195EPSS
Exploits0References7Affected Software1
Snyk
Snyk
added 2026/06/15 5:22 p.m.6 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the two-way property binding. An attacker can execute arbitrary JavaScript in the context of the user's browser by supplying crafted input to a sensitive DOM property bound with two-way binding syntax. Note:...

8.3CVSS5.9AI score0.00195EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 5:22 p.m.64 views

@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization such as innerHTML, srcdoc, src, href, data, or sandbox is bound using the two-way binding syntax...

6.1CVSS5.7AI score0.00195EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/15 5:22 p.m.3 views

GHSA-58W9-8G37-X9V5 @angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization such as innerHTML, srcdoc, src, href, data, or sandbox is bound using the two-way binding syntax...

5.3CVSS5.8AI score0.00195EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/16 9:2 p.m.4 views

Cross-site Scripting (XSS)

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the bind:value of server-side rendered elements when user-supplied content is not properly escaped. An attacker can execute arbitrary script...

6.1CVSS5.6AI score
Exploits0References2
OSV
OSV
added 2026/01/16 9:2 p.m.1 views

GHSA-GW32-9RMW-QWWW svelte is vulnerable to XSS with textarea bind:value

Summary A server-side rendered with two-way bound value does not have its value correctly escaped in the rendered HTML. Details In SSR, does not have its value escaped when it is rendered into the HTML as .... PoC Put this in a server-side-rendered Svelte component: let value = test'"alert'BIM';;...

8.4CVSS5.8AI score
Exploits0References3
Rows per page
Query Builder