PatchSiren cyber security CVE debrief
CVE-2026-54268 angular CVE debrief
CVE-2026-54268 is a high-severity Denial of Service (DoS) vulnerability in the @angular/common package of the Angular framework. The vulnerability is caused by the formatDate function, which is also utilized by the standard Angular DatePipe, not properly limiting or validating the length of the format parameter. This results in uncontrolled resource consumption (high CPU utilization and excessive memory allocations) when parsing a maliciously crafted, excessively long date format string. The vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25. Users of affected versions should update to these patched versions to prevent exploitation.
- Vendor
- angular
- Product
- Unknown
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-22
- Original CVE updated
- 2026-06-26
- Advisory published
- 2026-06-22
- Advisory updated
- 2026-06-26
Who should care
Developers and administrators using Angular versions prior to 22.0.1, 21.2.17, or 20.3.25 should be aware of this vulnerability and take steps to mitigate it. This includes updating to patched versions and monitoring for potential exploitation attempts. Additionally, users of Angular applications may be impacted if they are using vulnerable versions, and should inform their developers to apply the necessary patches.
Technical summary
The CVE-2026-54268 vulnerability is a Denial of Service (DoS) issue in the @angular/common package of the Angular framework. The formatDate function and Angular DatePipe do not properly validate the length of the format parameter, leading to uncontrolled resource consumption when parsing maliciously crafted date format strings. This results in high CPU utilization and excessive memory allocations, causing a Denial of Service. The vulnerability has a CVSS score of 8.2 and is considered high-severity.
Defensive priority
High priority should be given to updating Angular to versions 22.0.1, 21.2.17, or 20.3.25, as applicable. Additionally, monitoring for potential exploitation attempts and implementing compensating controls, such as input validation and rate limiting, may help mitigate the risk of this vulnerability.
Recommended defensive actions
- Update to Angular version 22.0.1, 21.2.17, or 20.3.25, as applicable.
- Monitor for potential exploitation attempts and implement compensating controls.
- Implement input validation and rate limiting to mitigate the risk of this vulnerability.
- Review and update affected applications to ensure they are using patched versions of Angular.
- Inform developers of the necessary patches and ensure they are applied in a timely manner.
Evidence notes
The CVE-2026-54268 vulnerability was publicly disclosed on June 22, 2026, and has a CVSS score of 8.2. The vulnerability is caused by the formatDate function and Angular DatePipe not properly validating the length of the format parameter. The vulnerability is fixed in Angular versions 22.0.1, 21.2.17, and 20.3.25. Limited information is available on potential exploitation attempts or affected systems.
Official resources
-
CVE-2026-54268 CVE record
CVE.org
-
CVE-2026-54268 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
This article was generated with AI assistance based on the supplied source corpus.