CVE-2026-54265
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk9th percentile — higher than 9% of all known CVEs
Summary
In Angular, a vulnerability in the @angular/compiler package allows bypassing DOM property sanitization through two-way property bindings. When a property requiring sanitization (e.g., innerHTML, srcdoc, src, href, data, sandbox) is bound using two-way syntax ([(...)] or bindon-...), the compiler fails to apply the appropriate sanitizer, enabling an attacker who controls the property value to perform client-side XSS.
Risk Assessment
An attacker can inject malicious JavaScript code into the Angular application, leading to session data theft, user account takeover, or page content modification.
Recommendation
Immediately update Angular to version 22.0.1, 21.2.17, or 20.3.25 depending on the branch used. After updating, review the code for any two-way bindings of sensitive DOM properties.
Original NVD description (English source)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.

