CVE-2026-22610 - High Severity Vulnerability
Vulnerable Libraries - core-13.1.0.tgz, compiler-13.1.0.tgz
core-13.1.0.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-13.1.0.tgz
Path to dependency file: /src/AngWorkspace/package.json
Path to vulnerable library: /src/AngWorkspace/node_modules/@angular/core/package.json
Dependency Hierarchy:
- ❌ core-13.1.0.tgz (Vulnerable Library)
compiler-13.1.0.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-13.1.0.tgz
Path to dependency file: /src/AngWorkspace/package.json
Path to vulnerable library: /src/AngWorkspace/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
- ❌ compiler-13.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 642a29f4be078e5094d502da0a4f686426e9309b
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-10
Fix Resolution: https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.0.7,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v19.2.18,angular - 19.2.18,angular - 21.0.7,angular - 20.3.16
Step up your Open Source Security Game with Mend here
CVE-2026-22610 - High Severity Vulnerability
core-13.1.0.tgz
Angular - the core framework
Library home page: https://registry.npmjs.org/@angular/core/-/core-13.1.0.tgz
Path to dependency file: /src/AngWorkspace/package.json
Path to vulnerable library: /src/AngWorkspace/node_modules/@angular/core/package.json
Dependency Hierarchy:
compiler-13.1.0.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-13.1.0.tgz
Path to dependency file: /src/AngWorkspace/package.json
Path to vulnerable library: /src/AngWorkspace/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
Found in HEAD commit: 642a29f4be078e5094d502da0a4f686426e9309b
Found in base branch: main
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-01-10
Fix Resolution: https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.0.7,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v19.2.18,angular - 19.2.18,angular - 21.0.7,angular - 20.3.16
Step up your Open Source Security Game with Mend here