CVE-2026-52725
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
In @angular/core prior to versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, a vulnerability allows bypassing script-execution restrictions during dynamic component creation. The createComponent mechanism fails to reject mounting components directly onto a <script> or namespaced script element (e.g., <svg:script>), enabling attackers to inject and execute untrusted code (XSS).
Risk Assessment
An attacker can exploit this flaw to hijack user sessions, steal sensitive data, or perform arbitrary actions on behalf of the victim within the Angular application.
Recommendation
Immediately update @angular/core to version 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 (depending on your branch). If updating is not possible, avoid passing untrusted data as the host element or selector parameter to createComponent.
Original NVD description (English source)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.

