{"id":"CVE-2026-54265","summary":"Angular: Two-Way Property Binding Sanitization Bypass (XSS)","details":"Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]=\"value\" or bindon-innerHTML=\"value\"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.","aliases":["GHSA-58w9-8g37-x9v5"],"modified":"2026-07-11T04:04:08.291488050Z","published":"2026-06-22T15:27:38.802Z","database_specific":{"cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"\u003e= 22.0.0-next.0 \u003c 22.0.1"},{"last_affected":"\u003e= 22.0.0-next.0 \u003c 22.0.1"},{"introduced":"\u003e= 21.0.0-next.0 \u003c 21.2.17"},{"last_affected":"\u003e= 21.0.0-next.0 \u003c 21.2.17"},{"introduced":"\u003e= 20.0.0-next.0 \u003c 20.3.25"},{"last_affected":"\u003e= 20.0.0-next.0 \u003c 20.3.25"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54265.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54265.json"},{"type":"ADVISORY","url":"https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54265"},{"type":"FIX","url":"https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4"},{"type":"FIX","url":"https://github.com/angular/angular/pull/69107"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/angular/angular","events":[{"introduced":"0"},{"introduced":"40e2b5b4d13792ed7c46a1d22afcf6c12ac9c679"},{"fixed":"a075161392496629531812ff00762259aae03a98"},{"introduced":"00dcbf2eeb3fd18ed39148e4bc9e49a5b35cae0c"},{"fixed":"31c25e2e85704f12facd9b4b823aa54b943251eb"},{"introduced":"862d27f25c4d3bf2fe2918b76759f3f4a83563d1"},{"fixed":"3013982f754ee0adf3f4258d5ce763f98f9c0ba3"},{"fixed":"3c70270c96677c0dd33585f2afe8e187113e5fb4"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:angular:angular:*:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"19.2.25"},{"introduced":"20.0.0"},{"fixed":"20.3.25"},{"introduced":"21.0.0"},{"fixed":"21.2.17"},{"introduced":"22.0.0"},{"fixed":"22.0.1"}]}}],"versions":["v22.0.1","v21.2.16","vsix-22.0.0","v20.3.24","v20.3.23","v21.2.15","v20.3.22","v20.3.21","vsix-included-21.2.4","vsix-21.2.4","v21.2.14","v21.2.13","v20.3.20","v21.2.12","zone.js-0.16.2","v20.3.19","v21.2.11","v22.0.0-next.10","v22.0.0-next.9","v21.2.10","v21.2.9","v22.0.0-next.8","v20.3.18","v21.2.8","v22.0.0-next.7","v21.2.7","v22.0.0-next.6","v21.2.6","v22.0.0-next.5","v21.2.5","v22.0.0-next.4","v21.2.4","v22.0.0-next.3","v20.3.17","vsix-21.2.3","v22.0.0-next.2","v21.2.3","v21.2.2","v22.0.0-next.1","vsix-21.2.2","v22.0.0-next.0","v21.2.1","vsix-21.2.1","v21.2.0","v20.3.16","zone.js-0.16.1","vsix-21.2.0","v21.2.0-rc.0","v21.2.0-next.3","v21.2.0-next.2","v21.2.0-next.1","v21.2.0-next.0","20.3.15","v21.1.0-next.4","v21.1.0-next.3","v21.1.0-next.2","21.1.0-next.1","20.3.14","21.1.0-next.0","20.3.13","zone.js-0.16.0","20.3.12","20.3.11","20.3.10","20.3.9","20.3.8","20.3.7","20.3.6","20.3.5","21.0.0-next.8","20.3.4","21.0.0-next.7","20.3.3","21.0.0-next.6","20.3.2","21.0.0-next.5","20.3.1","21.0.0-next.4","20.3.0","21.0.0-next.3","20.3.0-rc.0","21.0.0-next.2","20.2.4","20.2.3","20.2.2","21.0.0-next.1","20.2.1","20.2.0","21.0.0-next.0","20.2.0-rc.1","20.2.0-rc.0","20.2.0-next.6","20.2.0-next.5","20.2.0-next.4","20.2.0-next.3","20.2.0-next.2","20.2.0-next.1","20.2.0-next.0","20.1.0-next.3","20.1.0-next.2","20.1.0-next.1","20.1.0-next.0","zone.js-0.15.1","20.0.0-next.8","20.0.0-next.7","20.0.0-next.6","20.0.0-next.5","20.0.0-next.4","20.0.0-next.3","20.0.0-next.2","20.0.0-next.1","20.0.0-next.0","19.2.0-next.3","19.2.0-next.2","19.2.0-next.1","19.2.0-next.0","19.1.0-next.4","19.1.0-next.3","19.1.0-next.2","19.1.0-next.1","19.1.0-next.0","19.0.0-next.10","19.0.0-next.9","19.0.0-next.8","19.0.0-next.7","19.0.0-next.6","19.0.0-next.5","19.0.0-next.4","19.0.0-next.3","19.0.0-next.2","19.0.0-next.1","zone.js-0.15.0","19.0.0-next.0","18.2.0-next.4","zone.js-0.14.10","18.2.0-next.3","18.2.0-next.2","zone.js-0.14.8","18.2.0-next.1","18.2.0-next.0","18.1.0-next.4","18.1.0-next.3","18.1.0-next.2","zone.js-0.14.7","18.1.0-next.1","18.1.0-next.0","zone.js-0.14.6","zone.js-0.14.5","18.0.0-next.5","18.0.0-next.4","18.0.0-next.3","18.0.0-next.2","18.0.0-next.1","18.0.0-next.0","17.3.0-next.1","17.3.0-next.0","zone.js-0.14.4","17.2.0-next.1","17.2.0-next.0","zone.js-0.14.3","17.1.0-next.5","17.1.0-next.4","17.1.0-next.3","17.1.0-next.2","17.1.0-next.1","17.1.0-next.0","zone.js-0.14.2","zone.js-0.14.1","17.0.0-next.7","17.0.0-next.6","17.0.0-next.5","zone.js-0.14.0","17.0.0-next.4","zone.js-0.13.3","zone.js-0.13.2","17.0.0-next.3","17.0.0-next.2","17.0.0-next.1","17.0.0-next.0","16.2.0-next.4","16.2.0-next.3","16.2.0-next.2","16.2.0-next.1","16.2.0-next.0","zone.js-0.13.1","16.1.0-next.3","16.1.0-next.2","16.1.0-next.1","16.1.0-next.0","16.0.0-next.6","16.0.0-next.5","16.0.0-next.4","16.0.0-next.3","16.0.0-next.2","zone.js-0.13.0","16.0.0-next.1","16.0.0-next.0","15.2.0-next.4","15.2.0-next.3","15.2.0-next.2","15.2.0-next.1","15.2.0-next.0","15.1.0-next.3","15.1.0-next.2","15.1.0-next.1","15.1.0-next.0","zone.js-0.12.0","15.0.0-next.5","15.0.0-next.4","15.0.0-next.3","15.0.0-next.2","15.0.0-next.1","15.0.0-next.0","14.2.0-next.1","zone.js-0.11.8","14.2.0-next.0","zone.js-0.11.7","14.1.0-next.4","14.1.0-next.3","14.1.0-next.2","14.1.0-next.1","zone.js-0.11.6","14.1.0-next.0","14.0.0-next.15","14.0.0-next.14","14.0.0-next.13","14.0.0-next.12","14.0.0-next.11","14.0.0-next.10","14.0.0-next.9","14.0.0-next.8","14.0.0-next.7","14.0.0-next.6","zone.js-0.11.5","14.0.0-next.5","14.0.0-next.4","14.0.0-next.3","14.0.0-next.2","14.0.0-next.1","14.0.0-next.0","13.2.0-next.2","13.2.0-next.1","13.2.0-next.0","13.1.0-next.3","13.1.0-next.2","13.1.0-next.1","13.1.0-next.0","13.0.0-next.14","13.0.0-next.13","13.0.0-next.12","13.0.0-next.11","13.0.0-next.10","13.0.0-next.9","13.0.0-next.8","13.0.0-next.7","13.0.0-next.6","13.0.0-next.5","13.0.0-next.4","13.0.0-next.3","13.0.0-next.2","13.0.0-next.1","13.0.0-next.0","12.2.0-next.3","12.2.0-next.2","12.2.0-next.1","12.1.0","12.2.0-next.0","12.1.0-next.6","12.1.0-next.5","12.1.0-next.4","12.1.0-next.3","12.1.0-next.2","12.0.0-next.8","12.0.0-next.7","12.0.0-next.6","12.0.0-next.5","12.0.0-next.4","12.0.0-next.3","12.0.0-next.2","12.0.0-next.1","zone.js-0.11.4","12.0.0-next.0","11.1.0-next.4","11.1.0-next.3","11.1.0-next.2","11.1.0-next.1","11.1.0-next.0","zone.js-0.11.3","zone.js-0.11.2","11.0.0-next.6","11.0.0-next.5","11.0.0-next.4","11.0.0-next.3","11.0.0-next.2","11.0.0-next.1","11.0.0-next.0","10.1.0-rc.0","10.1.0-next.8","10.1.0-next.7","zone.js-0.11.0","10.1.0-next.6","10.1.0-next.5","10.1.0-next.4","10.1.0-next.3","10.1.0-next.2","10.1.0-next.1","10.1.0-next.0","10.0.0-rc.0","10.0.0-next.9","10.0.0-next.8","10.0.0-next.7","10.0.0-next.6","10.0.0-next.5","10.0.0-next.4","10.0.0-next.3","10.0.0-next.2","10.0.0-next.1","10.0.0-next.0","9.1.0-rc.0","9.1.0-next.5","zone.js-0.10.3","9.1.0-next.4","9.1.0-next.2","9.1.0-next.1","9.1.0-next.0","9.0.0-rc.1","9.0.0-rc.0","9.0.0-next.15","9.0.0-next.14","9.0.0-next.13","9.0.0-next.12","9.0.0-next.11","9.0.0-next.10","9.0.0-next.9","9.0.0-next.8","9.0.0-next.7","9.0.0-next.6","9.0.0-next.5","9.0.0-next.4","9.0.0-next.3","zone.js-0.10.2","9.0.0-next.2","9.0.0-next.1","zone.js-0.10.1","9.0.0-next.0","zone.js-0.10.0","8.2.0-next.2","8.2.0-next.1","8.2.0-next.0","8.1.0-rc.0","zone.js-0.9.2","8.1.0-next.3","8.1.0-next.2","8.1.0-next.1","8.1.0-beta.0","8.0.0-rc.0","8.0.0-beta.14","8.0.0-beta.13","8.0.0-beta.12","8.0.0-beta.11","8.0.0-beta.10","8.0.0-beta.9","8.0.0-beta.8","8.0.0-beta.7","8.0.0-beta.6","8.0.0-beta.5","8.0.0-beta.4","8.0.0-beta.3","8.0.0-beta.2","8.0.0-beta.1","8.0.0-beta.0","7.2.0","7.2.0-rc.0","7.2.0-beta.2","7.2.0-beta.1","7.1.0","7.1.0-rc.0","7.1.0-beta.2","7.1.0-beta.1","7.1.0-beta.0","7.0.0-rc.1","7.0.0-rc.0","7.0.0-beta.7","7.0.0-beta.6","7.0.0-beta.5","ngcontainer_0.5.0","7.0.0-beta.4","7.0.0-beta.3","7.0.0-beta.2","7.0.0-beta.1","ngcontainer_0.4.0","7.0.0-beta.0","6.1.0","6.1.0-rc.3","ngcontainer_0.3.3","6.1.0-beta.3","6.1.0-beta.2","6.1.0-beta.1","ngcontainer_0.3.2","6.1.0-beta.0","ngcontainer_0.3.1","ngcontainer_0.3.0","6.0.0-rc.5","6.0.0-rc.4","6.0.0-rc.3","6.0.0-rc.2","6.0.0-rc.1","6.0.0-rc.0","6.0.0-beta.8","6.0.0-beta.7","6.0.0-beta.6","6.0.0-beta.4","6.0.0-beta.3","6.0.0-beta.2","6.0.0-beta.1","6.0.0-beta.0","5.2.0","5.2.0-rc.0","5.2.0-beta.1","5.2.0-beta.0","5.1.0","5.1.0-rc.1","5.1.0-rc.0","5.1.0-beta.2","5.1.0-beta.1","5.1.0-beta.0","5.0.0-rc.4","5.0.0-rc.3","5.0.0-rc.2","5.0.0-rc.1","5.0.0-rc.0","5.0.0-beta.7","5.0.0-beta.6","5.0.0-beta.5","patch_sync","5.0.0-beta.4","5.0.0-beta.3","5.0.0-beta.2","5.0.0-beta.1","5.0.0-beta.0","4.3.0","4.3.0-rc.0","4.3.0-beta.1","4.3.0-beta.0","4.2.1","4.2.0-rc.2","4.2.0-rc.1","4.2.0-rc.0","4.2.0-beta.0","4.1.0","4.1.0-rc.0","4.1.0-beta.1","4.1.0-beta.0","4.0.0","4.0.0-rc.6","4.0.0-rc.5","4.0.0-rc.4","4.0.0-rc.3","4.0.0-rc.2","4.0.0-rc.1","4.0.0-beta.8","4.0.0-beta.7","4.0.0-beta.6","4.0.0-beta.5","4.0.0-beta.3","4.0.0-beta.2","4.0.0-beta.1","2.4.0-marker","2.3.0","4.0.0-beta.0","2.3.0-rc.0","2.3.0-beta.0","2.2.0","2.2.0-rc.0","2.2.0-beta.1","2.2.0-beta.0","2.1.0","2.1.0-rc.0","2.1.0-beta.0","2.0.0","2.0.0-rc.7","2.0.0-rc.6","2.0.0-rc.5","2.0.0-rc.4","2.0.0-rc.3","2.0.0-rc.2","2.0.0-rc.1","2.0.0-rc.0","2.0.0-beta.17","2.0.0-beta.16","2.0.0-beta.14","2.0.0-beta.13","2.0.0-beta.12","2.0.0-beta.11","2.0.0-beta.8","2.0.0-beta.7","2.0.0-beta.6","2.0.0-beta.0","2.0.0-alpha.55","2.0.0-alpha.54","2.0.0-alpha.53","2.0.0-alpha.52","2.0.0-alpha.51","2.0.0-alpha.50","2.0.0-alpha.49","2.0.0-alpha.48","2.0.0-alpha.47","2.0.0-alpha.44","2.0.0-alpha.42","2.0.0-alpha.41","2.0.0-alpha.40","2.0.0-alpha.35","2.0.0-alpha.34","2.0.0-alpha.33","2.0.0-alpha.32","2.0.0-alpha.31","2.0.0-alpha.30","2.0.0-alpha.29","2.0.0-alpha.28","2.0.0-alpha.27","2.0.0-alpha.26","2.0.0-alpha.25","2.0.0-alpha.24","2.0.0-alpha.23","2.0.0-alpha.22","2.0.0-alpha.21","2.0.0-alpha.20","2.0.0-alpha.19","2.0.0-alpha.18","2.0.0-alpha.17","2.0.0-alpha.15","2.0.0-alpha.14","2.0.0-alpha.13"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54265.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}