VYPR
Medium severity6.1OSV Advisory· Published Jan 10, 2026· Updated Jun 2, 2026

CVE-2026-22610

CVE-2026-22610

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@angular/compilernpm
>= 21.1.0-next.0, < 21.1.0-rc.021.1.0-rc.0
@angular/corenpm
>= 21.1.0-next.0, < 21.1.0-rc.021.1.0-rc.0
@angular/compilernpm
>= 21.0.0-next.0, < 21.0.721.0.7
@angular/corenpm
>= 21.0.0-next.0, < 21.0.721.0.7
@angular/compilernpm
>= 20.0.0-next.0, < 20.3.1620.3.16
@angular/corenpm
>= 20.0.0-next.0, < 20.3.1620.3.16
@angular/compilernpm
>= 19.0.0-next.0, < 19.2.1819.2.18
@angular/corenpm
>= 19.0.0-next.0, < 19.2.1819.2.18
@angular/compilernpm
<= 18.2.14
@angular/corenpm
<= 18.2.14

Affected products

9
  • Angular/AngularOSV7 versions
    10.0.0-next.0, 10.0.0-next.1, 10.0.0-next.2, …+ 6 more
    • (no CPE)range: 10.0.0-next.0, 10.0.0-next.1, 10.0.0-next.2, …
    • cpe:2.3:a:angular:angular:21.1.0:next0:*:*:*:node.js:*:*
    • cpe:2.3:a:angular:angular:21.1.0:next1:*:*:*:node.js:*:*
    • cpe:2.3:a:angular:angular:21.1.0:next2:*:*:*:node.js:*:*
    • cpe:2.3:a:angular:angular:21.1.0:next3:*:*:*:node.js:*:*
    • cpe:2.3:a:angular:angular:21.1.0:next4:*:*:*:node.js:*:*
    • cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*range: <=18.2.14
  • ghsa-coords2 versions
    >= 21.1.0-next.0, < 21.1.0-rc.0+ 1 more
    • (no CPE)range: >= 21.1.0-next.0, < 21.1.0-rc.0
    • (no CPE)range: >= 21.1.0-next.0, < 21.1.0-rc.0

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.