XSS Vulnerability in Angular's Compiler Affects Web Application Security
CVE-2026-54265

5.3MEDIUM

Key Information:

Vendor

Angular

Status
Angular
Vendor
CVE Published:
22 June 2026

What is CVE-2026-54265?

The Angular compiler had a serious flaw that allowed for the bypassing of DOM property sanitization due to improper handling of two-way property bindings. Before version 22.0.1, Angular could emit native two-way DOM bindings without the necessary sanitation functions, which could lead to a potential XSS attack if an attacker could control sensitive property values. This issue underscores the need for developers to stay updated with version 22.0.1 or later to bolster web application security.

Affected Version(s)

angular >= 22.0.0-next.0 < 22.0.1 < 22.0.0-next.0 22.0.1

angular >= 21.0.0-next.0 < 21.2.17 < 21.0.0-next.0 21.2.17

angular >= 20.0.0-next.0 < 20.3.25 < 20.0.0-next.0 20.3.25

References

https://github.com/angular/angular/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/angular/angular/pull/69107
x_refsource_MISC
https://github.com/angular/angular/commit/3c70270c96677c0...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.