CVE Catalog

CVE-2026-52725

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

In @angular/core prior to versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability allows bypassing script-execution restrictions during dynamic component creation. The createComponent mechanism fails to reject mounting components directly onto a <script> or namespaced script element (e.g., <svg:script>), enabling attackers to inject and execute untrusted code (XSS).

Risk Assessment

An attacker can exploit this flaw to hijack user sessions, steal sensitive data, or perform arbitrary actions on behalf of the victim within the Angular application.

Recommendation

Immediately update @angular/core to version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 (depending on your branch). If updating is not possible, avoid passing untrusted data as the host element or selector parameter to createComponent.

Original NVD description (English source)

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS