## CVE-2026-22610: High-Severity XSS Flaw in Angular Core Exposes Web Apps to Script Injection
A critical security gap has been exposed in the Angular development platform, where a failure in its internal sanitization logic leaves countless web applications vulnerable to cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-22610 with a HIGH severity rating, stems from the Angular Template Compiler's inability to properly recognize and sanitize the `href` and `xlink:href` attributes within SVG `<script>` elements. This oversight allows attackers to inject malicious scripts, potentially leading to data theft, session hijacking, or complete compromise of user interactions within affected applications.

The flaw specifically impacts the `@angular/core` package. Versions prior to 19.2.18, 20.3.16, 21.0.7, and the 21.1.0 release candidate are confirmed vulnerable. The finding was identified by the Trivy scanner during a deep dependency scan of the `closenow.ai` project's codebase, pinpointing the vulnerable version `@angular/core@19.2.14` in its dependency tree. This is a classic case of a sanitizer bypass (CWE-79), where a trusted framework's security mechanism fails to account for a specific, exploitable context.

The discovery places immediate pressure on development teams and organizations relying on Angular for their web platforms. Any application using an unpatched version is at risk. While patches are available, the widespread use of Angular means remediation requires urgent action across development, security, and operations teams to audit dependencies, apply the fixed versions, and test for regressions. The vulnerability underscores the persistent risk hidden within foundational software dependencies and the critical need for continuous, deep security scanning in the software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, web-development, software-supply-chain, CVE
- **Credibility**: unverified
- **Published**: 2026-04-08 00:27:06
- **ID**: 54016
- **URL**: https://whisperx.ai/en/intel/54016