Skip to content

CVE-2026-54265 (Medium) detected in compiler-12.2.5.tgz #127

Description

@mend-for-github-com

CVE-2026-54265 - Medium Severity Vulnerability

Vulnerable Library - compiler-12.2.5.tgz

Angular - the compiler library

Library home page: https://registry.npmjs.org/@⁠angular/compiler/-/compiler-12.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

  • compiler-12.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 36a9c5d28529109984de6fcc3d0a157d561dac4a

Found in base branch: master

Vulnerability Details

An issue in the "@⁠angular/compiler" package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as "innerHTML", "srcdoc", "src", "href", "data", or "sandbox") is bound using the two-way binding syntax (e.g., "[(innerHTML)]="value"" or "bindon-innerHTML="value""), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the "TwoWayProperty" operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). Impact Any Angular application that uses two-way data binding ("[()]" or "bindon-") on security-sensitive native DOM properties (like "innerHTML", "href" on "", "src" on ""/"<iframe>", etc.) is vulnerable to this security bypass. Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user. Attack Preconditions To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist: 1. Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g., "<div [(innerHTML)]="userContent">"). 2. User-Controlled Input: The value bound to this property must be influenceable by user-controlled input. 3. Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via "DomSanitizer") before passing the value to the bound property. Patches * 22.0.1 * 21.2.17 * 20.3.25

Publish Date: 2026-06-15

URL: CVE-2026-54265

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-58w9-8g37-x9v5

Release Date: 2026-06-15

Fix Resolution: https://github.com/angular/angular.git - v20.3.25,https://github.com/angular/angular.git - v21.2.17


  • Check this box to open an automated fix PR

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions