Vulnerability DatabaseCVE-2026-54265
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-54265
Published:June 15, 2026
Updated:June 16, 2026
An issue in the "@angular/compiler" package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as "innerHTML", "srcdoc", "src", "href", "data", or "sandbox") is bound using the two-way binding syntax (e.g., "[(innerHTML)]="value"" or "bindon-innerHTML="value""), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the "TwoWayProperty" operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). Impact Any Angular application that uses two-way data binding ("[()]" or "bindon-") on security-sensitive native DOM properties (like "innerHTML", "href" on "<a>", "src" on "<img>"/"<iframe>", etc.) is vulnerable to this security bypass. Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist: 1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., "<div [(innerHTML)]="userContent"></div>"). 2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input. 3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via "DomSanitizer") before passing the value to the bound property. Patches * 22.0.1 * 21.2.17 * 20.3.25
Affected Packages
https://github.com/angular/angular.git (GITHUB):
Affected version(s) >=v20.3.16 <v20.3.25
Fix Suggestion:
Update to version v20.3.25
https://github.com/angular/angular.git (GITHUB):
Affected version(s) >=v21.0.4 <v21.2.17
Fix Suggestion:
Update to version v21.2.17
@angular/compiler (NPM):
Affected version(s) >=20.0.0-next.0 <20.3.25
Fix Suggestion:
Update to version 20.3.25
@angular/compiler (NPM):
Affected version(s) >=22.0.0-next.0 <22.0.1
Fix Suggestion:
Update to version 22.0.1
@angular/compiler (NPM):
Affected version(s) >=21.0.0-next.0 <21.2.17
Fix Suggestion:
Update to version 21.2.17
Related Resources (4)
https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4
https://github.com/angular/angular/pull/69107
https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5
https://github.com/angular/angular
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79