Bug 2491412 (CVE-2026-52725)
| Summary: | CVE-2026-52725 @angular/core: @angular/core: Cross-Site Scripting (XSS) via dynamic component creation bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amctagga, aoconnor, bniver, ewittman, flucifre, gmalinko, gmeno, gotiwari, gparvin, groman, janstey, jhorak, mbenjamin, mhackett, mvyas, nipatil, pahickey, pantinor, pdelbell, rhaigner, rhel-process-autobot, rkubis, rstepani, sostapov, vereddy, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the @angular/core component. This vulnerability allows an attacker to bypass security restrictions when creating dynamic components. By manipulating the host element or selector, an attacker can force an Angular component to be mounted directly onto a script tag. This can result in the execution of untrusted code or client-side Cross-Site Scripting (XSS), potentially compromising user data or system integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-06-22 16:02:05 UTC
|