CVE-2026-52725

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*

History

26 Jun 2026, 19:34

Type Values Removed Values Added
First Time Angularjs
Angularjs angularjs
CPE cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*
cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*
References () https://github.com/angular/angular/pull/68686 - () https://github.com/angular/angular/pull/68686 - Issue Tracking, Patch
References () https://github.com/angular/angular/pull/68713 - () https://github.com/angular/angular/pull/68713 - Issue Tracking
References () https://github.com/angular/angular/security/advisories/GHSA-692r-grfm-v8x7 - () https://github.com/angular/angular/security/advisories/GHSA-692r-grfm-v8x7 - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1

22 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-22 16:16

Updated : 2026-06-26 19:34


NVD link : CVE-2026-52725

Mitre link : CVE-2026-52725

CVE.ORG link : CVE-2026-52725


JSON object : View

Products Affected

angularjs

  • angularjs
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')