Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2026-22610
Good to know:
Date: January 9, 2026
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79Top Fix
Upgrade Version
Upgrade to version @angular/compiler - 21.0.7;@angular/compiler - 20.3.16;@angular/compiler - 19.2.18;@angular/compiler - 21.1.0-rc.0;@angular/core - 21.0.7;@angular/core - 20.3.16;@angular/core - 19.2.18;@angular/core - 21.1.0-rc.0;angular - 19.2.18;angular - 20.3.16;angular - 21.0.7;angular - 21.1.0-rc.0;https://github.com/angular/angular.git - v21.0.7;https://github.com/angular/angular.git - v19.2.18;https://github.com/angular/angular.git - v20.3.16;https://github.com/angular/angular.git - v21.1.0-rc.0
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | REQUIRED |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |