Angular XSS Flaw Bypasses Sanitization via SVG Script Tags

A cross-site scripting vulnerability in Angular's template compiler allows attackers to bypass built-in security protections by exploiting SVG script element attributes. CVE-2026-22610 affects Angular versions 18 through 21 and carries a CVSS score of 8.5 (High).

The flaw stems from Angular's sanitization schema failing to recognize that SVG <script> elements use different attributes than HTML <script> elements. While Angular properly sanitizes src attributes on HTML scripts, it misses href and xlink:href on SVG scripts—allowing injection of malicious JavaScript.

How the Vulnerability Works

Angular includes robust XSS protections that automatically sanitize untrusted content in templates. When developers bind data to potentially dangerous contexts like URLs or HTML, Angular's sanitizer validates and strips malicious payloads.

The sanitizer knows that <script src="..."> in HTML can load arbitrary JavaScript and treats the src attribute as a "Resource URL context" requiring strict validation. External scripts, data URIs containing code, and other dangerous values get blocked.

SVG elements follow different conventions. The <script> element in SVG uses href and xlink:href attributes rather than src. Angular's sanitization schema didn't classify these attributes as Resource URL contexts, creating a bypass.

An attacker can craft a payload like:

<svg>
  <script href="data:text/javascript,alert('XSS')"></script>
</svg>

If an Angular application binds attacker-controlled data to the href attribute of an SVG script element, the sanitizer passes it through unchanged. The browser executes the injected JavaScript in the context of the vulnerable page.

Exploitation Requirements

Not every Angular application is vulnerable. Successful exploitation requires three conditions:

1. The application uses SVG <script> elements in templates (uncommon but not rare in visualization-heavy applications)
2. The template uses property or attribute binding for href or xlink:href on those SVG scripts
3. The bound data originates from an untrusted source—URL parameters, user database entries, or unsanitized API responses

Applications that don't use SVG scripts or don't dynamically bind their URL attributes remain unaffected. But for those that do, the impact is significant.

Impact

Successful XSS exploitation enables:

• Session hijacking - Stealing authentication cookies and tokens
• Data exfiltration - Reading sensitive information displayed in the application
• Unauthorized actions - Clicking buttons, submitting forms, or calling APIs on behalf of the victim
• Credential theft - Injecting fake login forms to capture passwords
• Malware distribution - Redirecting users to malicious sites

The vulnerability is particularly concerning for applications handling sensitive data or administrative functions. An XSS flaw in an admin panel could compromise the entire system.

Affected and Patched Versions

Affected	Fixed
18.2.14 and earlier	No patch (end-of-life)
19.0.0-next.0 to 19.2.17	19.2.18
20.0.0-next.0 to 20.3.15	20.3.16
21.0.0-next.0 to 21.0.6	21.0.7
21.1.0-next.0 to before 21.1.0-rc.0	21.1.0-rc.0

Organizations running Angular 18 or earlier face a harder decision. Those versions are end-of-life and won't receive security updates. Upgrading to a supported version is the only remediation path.

Temporary Mitigations

If immediate patching isn't possible:

1. Audit SVG script usage - Search your codebase for <script> elements within SVG contexts
2. Remove dynamic bindings - Don't bind [attr.href] or [attr.xlink:href] on SVG scripts
3. Validate input server-side - If dynamic values must be used, validate against a strict allowlist of trusted URLs before they reach the template
4. Content Security Policy - A restrictive CSP can limit damage from successful XSS, though it won't prevent the vulnerability

Why This Matters

Angular powers thousands of enterprise web applications. The framework's built-in security features—including automatic sanitization—give developers confidence that XSS vulnerabilities are handled by default. When that sanitization fails, applications that seemed secure become vulnerable.

The SVG-specific nature of this flaw highlights how subtle differences between HTML and SVG can create security gaps. Both use similar elements and attributes, but browsers handle them differently. Security tools and frameworks must account for these differences to provide comprehensive protection.

Development teams should update to patched Angular versions and audit their codebases for SVG script bindings. The 8.5 CVSS score reflects the potential severity when exploitation conditions align.