Bug 2428424 (CVE-2026-22610)

Summary: CVE-2026-22610 angular: Angular: Cross-site scripting vulnerability in Template Compiler
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, aschwart, asoldano, aszczucz, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, bstansbe, darran.lofthouse, dlofthou, doconnor, dosoudil, drichtar, eglynn, gmalinko, gotiwari, gparvin, istudens, ivassile, iweiss, janstey, jbalunas, jcantril, jgrulich, jhorak, jjoyce, jpretori, jschluet, lchilton, lhh, mburns, mgarciac, mosmerov, mposolda, msvehla, mvyas, nwallace, owatkins, pahickey, pberan, pdelbell, pesilva, pjindal, pmackay, rhaigner, rhel-process-autobot, rmartinc, rojacob, rstancel, rstepani, sfeifer, smaestri, ssilvert, sthorger, teagle, thjenkin, tom.jenkinson, tpopela, vdosoudi, vmuzikar, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Angular. An attacker could exploit a cross-site scripting (XSS) vulnerability in the Angular Template Compiler due to improper sanitization of `href` and `xlink:href` attributes within SVG `<script>` elements. This could allow an attacker to inject malicious scripts into web pages, leading to arbitrary code execution in the user's browser.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2428988, 2428989, 2428991, 2428999, 2429000, 2429001, 2429002, 2429005, 2429006, 2428990, 2428992, 2428993, 2428994, 2428995, 2428996, 2428997, 2428998, 2429003, 2429004    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-10 04:02:24 UTC
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.