FKIE_CVE-2026-52725

Vulnerability from fkie_nvd - Published: 2026-06-22 16:16 - Updated: 2026-06-26 19:34
Severity
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a <script> or namespaced script element (such as <svg:script>). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
References
security-advisories@github.comhttps://github.com/angular/angular/pull/68686Issue Tracking, Patch
security-advisories@github.comhttps://github.com/angular/angular/pull/68713Issue Tracking
security-advisories@github.comhttps://github.com/angular/angular/security/advisories/GHSA-692r-grfm-v8x7Third Party Advisory
Impacted products
Vendor Product Version
angularjs angularjs *
angularjs angularjs *
angularjs angularjs *
angularjs angularjs *
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
angularjs angularjs 22.0.0
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "angular",
          "vendor": "angular",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 22.0.0-next.0 \u003c 22.0.0-rc.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0-next.0 \u003c 21.2.15"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0-next.0 \u003c 20.3.22"
            },
            {
              "status": "affected",
              "version": "\u003e= 19.0.0-next.0 \u003c 19.2.22"
            },
            {
              "status": "affected",
              "version": "\u003c= 18.2.14"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A70036B6-0384-40CC-9402-261200050260",
              "versionEndIncluding": "18.2.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7FADD963-D39A-47F5-A352-13A46F056CDF",
              "versionEndExcluding": "19.2.23",
              "versionStartIncluding": "19.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3332B1D4-C8DE-4AF1-B02E-B4F6E89FD20C",
              "versionEndExcluding": "20.3.22",
              "versionStartIncluding": "20.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AD596738-EFE2-4226-94F5-664DBBBE4D40",
              "versionEndExcluding": "21.2.15",
              "versionStartIncluding": "21.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next0:*:*:*:*:*:*",
              "matchCriteriaId": "3CAB422E-FCB2-4AD0-8C6F-90F8DDCF046B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next1:*:*:*:*:*:*",
              "matchCriteriaId": "E3F939B4-3291-4AC7-B8A0-437981B44A15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next10:*:*:*:*:*:*",
              "matchCriteriaId": "5EF3D989-611A-4794-BF55-18E32CD6A37C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next11:*:*:*:*:*:*",
              "matchCriteriaId": "2D66CF2E-7578-41ED-8714-4BB4124E1BBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next12:*:*:*:*:*:*",
              "matchCriteriaId": "45E0B5CB-3D0D-4E94-B5B5-DA44868AFC56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next2:*:*:*:*:*:*",
              "matchCriteriaId": "DE5BE0D4-C971-4BDE-9208-A804D4D0F499",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next3:*:*:*:*:*:*",
              "matchCriteriaId": "2E2939BC-2B96-421F-9A92-213FC8E69958",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next4:*:*:*:*:*:*",
              "matchCriteriaId": "A6334AFE-E843-4DD0-8118-B843BB54D62F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next5:*:*:*:*:*:*",
              "matchCriteriaId": "9B7E0ECF-91DD-4F4A-B1A4-66A3380E0D52",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next6:*:*:*:*:*:*",
              "matchCriteriaId": "8AA37933-9C41-4B5D-BB35-FC8BAD3FBB1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next7:*:*:*:*:*:*",
              "matchCriteriaId": "FD03563D-4DAC-4C3A-A89B-277C2109BC3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next8:*:*:*:*:*:*",
              "matchCriteriaId": "C42CDCDD-BCAF-4F2F-8A0D-703431BDA3AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:next9:*:*:*:*:*:*",
              "matchCriteriaId": "07E4BC13-3946-4756-A10F-8DBDC812553C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:rc0:*:*:*:*:*:*",
              "matchCriteriaId": "B2AA884A-730A-45C6-83FE-104E9FD358EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:angularjs:angularjs:22.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "6EA55F1C-F490-4E2F-9E93-5FF1C31FC78F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23, an issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism (createComponent) failed to reject mounting components directly onto a \u003cscript\u003e or namespaced script element (such as \u003csvg:script\u003e). This enabled the initialization of custom components on a tag that executes scripts, allowing attackers to hijack or inject script-executing hosts. This flaw enables an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a \u003cscript\u003e tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23."
    }
  ],
  "id": "CVE-2026-52725",
  "lastModified": "2026-06-26T19:34:55.707",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-52725",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-22T15:59:13.494116Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-22T16:16:38.193",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/angular/angular/pull/68686"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/angular/angular/pull/68713"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/angular/angular/security/advisories/GHSA-692r-grfm-v8x7"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.