Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN021
_____________________________________________________________________

DATE                : 12/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running @angular/compiler (npm), 
                     @angular/core (npm) versions prior to
                     21.1.0-rc.0, 21.0.7, 20.3.16, 19.2.18.

=====================================================================
https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
_____________________________________________________________________

XSS Vulnerability via Unsanitized SVG Script Attributes
High
alan-agius4 published GHSA-jrmj-c5cx-3cw6 Jan 8, 2026

Package
@angular/compiler (npm)

Affected versions
>=21.1.0-next.0 < 21.1.0-rc.0
>=21.0.0-next.0 < 21.0.7
>=20.0.0-next.0 < 20.3.16
>=19.0.0-next.0 < 19.2.18
<= 18.2.14
Patched versions
21.1.0-rc.0
21.0.7
20.3.16
19.2.18
none

@angular/core (npm)
Affected versions
>=21.1.0-next.0 < 21.1.0-rc.0
>=21.0.0-next.0 < 21.0.7
>=20.0.0-next.0 < 20.3.16
>=19.0.0-next.0 < 19.2.18
<= 18.2.14
Patched versions
21.1.0-rc.0
21.0.7
20.3.16
19.2.18
none


Description

A Cross-Site Scripting (XSS) vulnerability has been identified in
the Angular Template Compiler. The vulnerability exists because
Angular’s internal sanitization schema fails to recognize the href
and xlink:href attributes of SVG <script> elements as a Resource
URL context.

In a standard security model, attributes that can load and execute
code (like a script's source) should be strictly validated.
However, because the compiler does not classify these specific
SVG attributes correctly, it allows attackers to bypass Angular's
built-in security protections.

When template binding is used to assign user-controlled data to
these attributes for example, <script [attr.href]="userInput"> the
compiler treats the value as a standard string or a non-sensitive
URL rather than a resource link. This enables an attacker to
provide a malicious payload, such as a data:text/javascript URI
or a link to an external malicious script.


Impact

When successfully exploited, this vulnerability allows for
arbitrary JavaScript execution within the context of the
victim's browser session. This can lead to:

    Session Hijacking: Stealing session cookies, localStorage
data, or authentication tokens.
    Data Exfiltration: Accessing and transmitting sensitive
information displayed within the application.
    Unauthorized Actions: Performing state-changing actions
(like clicking buttons or submitting forms) on behalf of the
authenticated user.

Attack Preconditions

    The victim application must explicitly use SVG <script>
elements within its templates.
    The application must use property or attribute binding
(interpolation) for the href or xlink:href attributes of
those SVG scripts.
    The data bound to these attributes must be derived from
an untrusted source (e.g., URL parameters, user-submitted
database entries, or unsanitized API responses).

Patches

    19.2.18
    20.3.16
    21.0.7
    21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

    Avoid Dynamic Bindings: Do not use Angular template binding
(e.g., [attr.href]) for SVG <script> elements.
    Input Validation: If dynamic values must be used, strictly
validate the input against a strict allowlist of trusted URLs on
the server side or before it reaches the template.


References

    #66318


Severity
High
8.5/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction Active
Vulnerable System Impact Metrics
Confidentiality High
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-22610

Weaknesses
Weakness CWE-79

Credits

    @alan-agius4 alan-agius4 Remediation developer
    @josephperrott josephperrott Remediation reviewer
    @AndrewKushnir AndrewKushnir Remediation reviewer
    @hybrist hybrist Remediation reviewer
    @ShelbyKelley ShelbyKelley Reporter
    @gkalpak gkalpak Reporter

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================