CVE-2026-54265 - Medium Severity Vulnerability
Vulnerable Library - compiler-12.2.5.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ compiler-12.2.5.tgz (Vulnerable Library)
Found in HEAD commit: 36a9c5d28529109984de6fcc3d0a157d561dac4a
Found in base branch: master
Vulnerability Details
An issue in the "@angular/compiler" package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as "innerHTML", "srcdoc", "src", "href", "data", or "sandbox") is bound using the two-way binding syntax (e.g., "[(innerHTML)]="value"" or "bindon-innerHTML="value""), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the "TwoWayProperty" operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). Impact Any Angular application that uses two-way data binding ("[()]" or "bindon-") on security-sensitive native DOM properties (like "innerHTML", "href" on "", "src" on "
"/"<iframe>", etc.) is vulnerable to this security bypass. Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist: 1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., "<div [(innerHTML)]="userContent">"). 2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input. 3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via "DomSanitizer") before passing the value to the bound property. Patches * 22.0.1 * 21.2.17 * 20.3.25
Publish Date: 2026-06-15
URL: CVE-2026-54265
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-58w9-8g37-x9v5
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v20.3.25,https://github.com/angular/angular.git - v21.2.17
CVE-2026-54265 - Medium Severity Vulnerability
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-12.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 36a9c5d28529109984de6fcc3d0a157d561dac4a
Found in base branch: master
An issue in the "@angular/compiler" package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as "innerHTML", "srcdoc", "src", "href", "data", or "sandbox") is bound using the two-way binding syntax (e.g., "[(innerHTML)]="value"" or "bindon-innerHTML="value""), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the "TwoWayProperty" operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). Impact Any Angular application that uses two-way data binding ("[()]" or "bindon-") on security-sensitive native DOM properties (like "innerHTML", "href" on "", "src" on "
"/"<iframe>", etc.) is vulnerable to this security bypass. Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist: 1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., "<div [(innerHTML)]="userContent">"). 2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input. 3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via "DomSanitizer") before passing the value to the bound property. Patches * 22.0.1 * 21.2.17 * 20.3.25
Publish Date: 2026-06-15
URL: CVE-2026-54265
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-58w9-8g37-x9v5
Release Date: 2026-06-15
Fix Resolution: https://github.com/angular/angular.git - v20.3.25,https://github.com/angular/angular.git - v21.2.17