What is GHSA-jrmj-c5cx-3cw6?

GHSA-jrmj-c5cx-3cw6 is a security advisory published by GitHub Security Advisories with High severity. Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Which CVE IDs does GHSA-jrmj-c5cx-3cw6 cover?

GHSA-jrmj-c5cx-3cw6 covers the following CVE IDs: CVE-2026-22610. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-jrmj-c5cx-3cw6?

GHSA-jrmj-c5cx-3cw6 affects 10 products, including: npm/@angular/compiler:\u003e= 21.1.0-next.0, \u003c 21.1.0-rc.0; npm/@angular/core:\u003e= 21.1.0-next.0, \u003c 21.1.0-rc.0; npm/@angular/compiler:\u003e= 21.0.0-next.0, \u003c 21.0.7; npm/@angular/core:\u003e= 21.0.0-next.0, \u003c 21.0.7; npm/@angular/compiler:\u003e= 20.0.0-next.0, \u003c 20.3.16; and others — see the full list on the advisory page.

GHSA-jrmj-c5cx-3cw6High

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Vendor

GitHub Security Advisories

Published

January 9, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-22610 →

📋 Description

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

The victim application must explicitly use SVG <script> elements within its templates.
The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

19.2.18
20.3.16
21.0.7
21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

https://github.com/angular/angular/pull/66318

🎯 Affected products10

npm/@angular/compiler:>= 21.1.0-next.0, < 21.1.0-rc.0
npm/@angular/core:>= 21.1.0-next.0, < 21.1.0-rc.0
npm/@angular/compiler:>= 21.0.0-next.0, < 21.0.7
npm/@angular/core:>= 21.0.0-next.0, < 21.0.7
npm/@angular/compiler:>= 20.0.0-next.0, < 20.3.16
npm/@angular/core:>= 20.0.0-next.0, < 20.3.16
npm/@angular/compiler:>= 19.0.0-next.0, < 19.2.18
npm/@angular/core:>= 19.0.0-next.0, < 19.2.18
npm/@angular/compiler:<= 18.2.14
npm/@angular/core:<= 18.2.14