Medium severity6.1OSV Advisory· Published Jan 10, 2026· Updated Jun 2, 2026
CVE-2026-22610
CVE-2026-22610
Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@angular/compilernpm | >= 21.1.0-next.0, < 21.1.0-rc.0 | 21.1.0-rc.0 |
@angular/corenpm | >= 21.1.0-next.0, < 21.1.0-rc.0 | 21.1.0-rc.0 |
@angular/compilernpm | >= 21.0.0-next.0, < 21.0.7 | 21.0.7 |
@angular/corenpm | >= 21.0.0-next.0, < 21.0.7 | 21.0.7 |
@angular/compilernpm | >= 20.0.0-next.0, < 20.3.16 | 20.3.16 |
@angular/corenpm | >= 20.0.0-next.0, < 20.3.16 | 20.3.16 |
@angular/compilernpm | >= 19.0.0-next.0, < 19.2.18 | 19.2.18 |
@angular/corenpm | >= 19.0.0-next.0, < 19.2.18 | 19.2.18 |
@angular/compilernpm | <= 18.2.14 | — |
@angular/corenpm | <= 18.2.14 | — |
Affected products
910.0.0-next.0, 10.0.0-next.1, 10.0.0-next.2, …+ 6 more
- (no CPE)range: 10.0.0-next.0, 10.0.0-next.1, 10.0.0-next.2, …
- cpe:2.3:a:angular:angular:21.1.0:next0:*:*:*:node.js:*:*
- cpe:2.3:a:angular:angular:21.1.0:next1:*:*:*:node.js:*:*
- cpe:2.3:a:angular:angular:21.1.0:next2:*:*:*:node.js:*:*
- cpe:2.3:a:angular:angular:21.1.0:next3:*:*:*:node.js:*:*
- cpe:2.3:a:angular:angular:21.1.0:next4:*:*:*:node.js:*:*
- cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*range: <=18.2.14
- ghsa-coords2 versions
>= 21.1.0-next.0, < 21.1.0-rc.0+ 1 more
- (no CPE)range: >= 21.1.0-next.0, < 21.1.0-rc.0
- (no CPE)range: >= 21.1.0-next.0, < 21.1.0-rc.0
Patches
Vulnerability mechanics
References
7- github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56nvdPatchWEB
- github.com/advisories/GHSA-jrmj-c5cx-3cw6ghsaADVISORY
- github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-22610ghsaADVISORY
- cert-portal.siemens.com/productcert/html/ssa-253495.htmlnvdWEB
- cert-portal.siemens.com/productcert/html/ssa-485750.htmlnvdWEB
- github.com/angular/angular/pull/66318nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.