QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-22610

Back to search

CVE-2026-22610

Published: Jan 10, 2026

Modified: Jun 2, 2026

PUBLISHED

Description

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.

VendorProductVersions

angular

angular

affected
>= 21.1.0-next.0, < 21.1.0-rc.0
affected
>= 21.0.0-next.0, < 21.0.7
affected
>= 20.0.0-next.0, < 20.3.16
affected
< 19.2.18

Weaknesses (CWE)

CWE-79

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now