PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52725 angular CVE debrief

CVE-2026-52725 is a medium-severity vulnerability in the Angular development platform. The issue, located in the @angular/core package, enables an attacker to bypass script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism failed to reject mounting components directly onto a <script> or namespaced script element. This flaw allows an attacker who can control the host element or selector parameter passed to createComponent to initialize or mount an Angular component directly onto a <script> tag, leading to execution of untrusted code or client-side Cross-Site Scripting (XSS). The vulnerability is fixed in versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23. Developers using affected versions of Angular should update to these patched versions to mitigate the risk.

Vendor
angular
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-22
Original CVE updated
2026-06-26
Advisory published
2026-06-22
Advisory updated
2026-06-26

Who should care

Developers and security teams using Angular for web application development should be aware of this vulnerability. Given the medium severity and potential for XSS attacks, those with applications using dynamic component creation or user-inputted data should prioritize patching. Additionally, security teams responsible for monitoring and protecting against client-side attacks should be aware of the potential impact and update their detection mechanisms accordingly.

Technical summary

The vulnerability in Angular's @angular/core package stems from the dynamic component instantiation mechanism's failure to properly restrict mounting components onto <script> or namespaced script elements. This allows an attacker to hijack or inject script-executing hosts by initializing custom components on tags that execute scripts. The issue is characterized by a CVSS score of 5.3 and a Medium severity level. The vulnerability can be exploited through user interaction (UI:P) and requires network access (AV:N) with low attack complexity (AC:L). Successful exploitation can lead to limited confidentiality (VC:L) and integrity (VI:L) impacts. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

This vulnerability should be prioritized for patching due to its potential for client-side XSS attacks. While the CVSS score is Medium, the impact of successful exploitation can be significant, especially in applications with dynamic content or user-inputted data.

Recommended defensive actions

  • Update to patched versions of Angular: 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.
  • Review and restrict usage of dynamic component creation in applications.
  • Implement Content Security Policy (CSP) to mitigate XSS attacks.
  • Monitor applications for suspicious script execution or component mounting activities.
  • Perform thorough code reviews and security testing for custom components.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability, including its description, CVSS score, and affected versions. The source item URL from NVD offers additional context and references related to the vulnerability. GitHub pull requests and security advisories provide details on the patches and mitigations.

Official resources

This article is AI-assisted and based on the supplied source corpus.