Angular

This hub aggregates every CVE we track for Angular, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Angular.

• CVE-2026-41423Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server5.3May 8, 2026
• CVE-2026-27970Angular i18n vulnerable to Cross-Site Scripting (XSS)6.1Feb 26, 2026
• CVE-2026-22610Angular has XSS Vulnerability via Unsanitized SVG Script Attributes6.1Jan 10, 2026
• CVE-2025-66412Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes5.4Dec 1, 2025
• CVE-2025-66035Angular HTTP Client Has XSRF Token Leakage via Protocol-Relative URLs7.5Nov 26, 2025
• CVE-2025-61261A reflected cross-site scripting (XSS) vulnerability in CKeditor v46.1.0 & Angular v18.0.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payl...5.4Nov 7, 2025
• CVE-2025-0716AngularJS improper sanitization in SVG '<image>' element4.8Apr 29, 2025
• CVE-2024-54152Angular Expressions - Remote Code Execution when using locals9.8Dec 10, 2024
• CVE-2024-8373AngularJS improper sanitization in '<source>' element4.8Sep 9, 2024
• CVE-2024-8372AngularJS improper sanitization in 'srcset' attribute4.8Sep 9, 2024
• CVE-2024-21490This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With larg...7.5Feb 10, 2024
• CVE-2023-26116Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression...5.3Mar 30, 2023
• CVE-2023-26118Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in th...5.3Mar 30, 2023
• CVE-2023-26117Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting th...5.3Mar 30, 2023
• CVE-2022-25869All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in t...4.2Jul 15, 2022