## Angular Compiler Security Update: Critical XSS Vulnerability in SVG Script Handling (CVE-2026-22610)
A critical security vulnerability in the Angular framework's compiler component has been disclosed, prompting an urgent dependency update. The flaw, tracked as CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6), involves a cross-site scripting (XSS) risk stemming from unsanitized SVG script attributes. This vulnerability could allow malicious actors to inject and execute arbitrary scripts within applications built on affected Angular versions, posing a direct threat to application security and user data.

The issue specifically resides in the `@angular/compiler` package. An automated dependency management tool, Renovate, has flagged the need to update this package from version `^16.2.3` to the patched version `^19.0.0`. The significant version jump underscores the severity of the fix required to close this security gap. The vulnerability's mechanism allows script execution via SVG attributes that are not properly sanitized by the Angular compiler's default security context.

This disclosure places immediate pressure on development teams and organizations using Angular to audit their dependencies and apply the security patch. The automated closure of the related GitHub pull request highlights the urgency with which such updates are being pushed through CI/CD pipelines. Failure to update leaves web applications exposed to client-side attacks, potentially compromising user sessions and sensitive information. The fix is now available in the latest major release of the Angular compiler.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Angular, XSS, CVE-2026-22610, Security Vulnerability, Dependency Management
- **Credibility**: unverified
- **Published**: 2026-03-29 05:26:55
- **ID**: 39637
- **URL**: https://whisperx.ai/en/intel/39637