compiler-15.2.2.tgz: 2 vulnerabilities (highest severity is: 8.0) #515
Description
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (compiler version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-22610 |  High |
8.0 | compiler-15.2.2.tgz | Direct | @angular/compiler - 20.3.16,@angular/compiler - 21.0.7,@angular/core - 19.2.18,@angular/core - 20.3.16,@angular/core - 21.0.7,@angular/compiler - 19.2.18 | ❌ |
| CVE-2025-66412 | High |
8.0 | compiler-15.2.2.tgz | Direct | https://github.com/angular/angular.git - 21.0.2,https://github.com/angular/angular.git - 19.2.17,https://github.com/angular/angular.git - 20.3.15 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-22610
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
- ❌ compiler-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the "href" and "xlink:href" attributes of SVG "<script>" elements as a Resource URL context. In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections. When template binding is used to assign user-controlled data to these attributes for example, "<script [attr.href]="userInput">" the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a "data:text/javascript" URI or a link to an external malicious script. Impact When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to: - Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens. - Data Exfiltration: Accessing and transmitting sensitive information displayed within the application. - Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user. Attack Preconditions 1. The victim application must explicitly use SVG "<script>" elements within its templates. 2. The application must use property or attribute binding (interpolation) for the "href" or "xlink:href" attributes of those SVG scripts. 3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses). Patches - 19.2.18 - 20.3.16 - 21.0.7 - 21.1.0-rc.0 Workarounds Until the patch is applied, developers should: - Avoid Dynamic Bindings: Do not use Angular template binding (e.g., "[attr.href]") for SVG "<script>" elements. - Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template. Resources - angular/angular#66318
Publish Date: 2026-01-09
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-09
Fix Resolution: @angular/compiler - 20.3.16,@angular/compiler - 21.0.7,@angular/core - 19.2.18,@angular/core - 20.3.16,@angular/core - 21.0.7,@angular/compiler - 19.2.18
Step up your Open Source Security Game with Mend here
CVE-2025-66412
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
- ❌ compiler-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
Publish Date: 2025-12-01
URL: CVE-2025-66412
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-01
Fix Resolution: https://github.com/angular/angular.git - 21.0.2,https://github.com/angular/angular.git - 19.2.17,https://github.com/angular/angular.git - 20.3.15
Step up your Open Source Security Game with Mend here