Angular Security Alert: High-Severity SVG Flaw CVE-2026-22610 Exposes Apps to XSS

A seemingly harmless feature in Scalable Vector Graphics (SVG) has become a major security headache for Angular developers. A new high-severity vulnerability, tracked as CVE-2026-22610, has been discovered in the Angular Template Compiler, allowing attackers to bypass built-in security protections and execute arbitrary JavaScript code.

With a CVSS score of 8.5, the flaw is a serious threat to mobile and desktop web applications built on the platform. The issue stems from a blind spot in how Angular’s internal sanitization schema handles specific SVG attributes.

Angular is famous for its robust default security, which typically strips out dangerous code before it renders. However, this specific vulnerability exploits a failure to recognize the danger of SVG <script> elements.

According to the disclosure, the Angular compiler “fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context”.

In a standard security model, any attribute that can load code—like a script’s source—should be treated with extreme suspicion. But because the compiler misclassifies these attributes, it treats them as standard, non-sensitive strings. This oversight allows an attacker to use Angular’s template binding (e.g., <script [attr.href]=”userInput”>) to inject a malicious payload, such as a data:text/javascript URI or a link to an external attack script.

The impact of a successful exploit is significant. By injecting malicious scripts into the victim’s browser session, attackers can perform a range of hostile actions:

• Session Hijacking: Stealing authentication tokens, cookies, or localStorage data.
• Data Exfiltration: Accessing sensitive information displayed within the application and transmitting it to a remote server.
• Unauthorized Actions: Forcing the user’s browser to submit forms or click buttons without their consent.

For the attack to work, the application must explicitly use SVG <script> elements in its templates and bind untrusted data to their href attributes.

The Angular team has released patches across multiple versions to close this loophole. Developers are urged to upgrade to the following versions immediately:

• 19.2.18
  20.3.16
  21.0.7
  21.1.0-rc.0

For teams unable to patch immediately, the advice is to stop using dynamic bindings for these specific attributes. “Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements,” the advisory warns . If dynamic values are unavoidable, developers must strictly validate input against an allowlist of trusted URLs before it ever reaches the template.

Related Posts:

• High-Severity Angular Flaw (CVE-2025-66412) Allows Stored XSS via SVG and MathML Bypass
• SVG Phishing Surge: How Image Files Are Being Weaponized to Steal Credentials
• SVG Files Weaponized: Phishing Attacks Embed HTML Code