Script Execution Bypass in Angular Core Package Affects Multiple Versions
CVE-2026-52725

5.3MEDIUM

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-52725?

An issue exists in the @angular/core package prior to specified versions, permitting the bypass of script-execution restrictions during dynamic component creation. Attackers can exploit this flaw by initializing Angular components directly onto elements, potentially leading to untrusted code execution or client-side Cross-Site Scripting (XSS). This vulnerability specifically targets the dynamic component instantiation mechanism (createComponent), enabling malicious actors who control the host element to execute harmful scripts.

Affected Version(s)

angular >= 22.0.0-next.0 < 22.0.0-rc.2 < 22.0.0-next.0 22.0.0-rc.2

angular >= 21.0.0-next.0 < 21.2.15 < 21.0.0-next.0 21.2.15

angular >= 20.0.0-next.0 < 20.3.22 < 20.0.0-next.0 20.3.22

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/68686
x_refsource_MISC
https://github.com/angular/angular/pull/68713
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.