CVE-2026-52725 Overview
CVE-2026-52725 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in the @angular/core package. The flaw resides in the dynamic component instantiation mechanism exposed through the createComponent API. Angular failed to reject mounting components onto <script> or namespaced script elements such as <svg:script>. An attacker who controls the host element or selector parameter passed to createComponent can mount an Angular component directly onto a script-executing tag. This results in execution of untrusted code in the browser context. The issue is fixed in Angular versions 22.0.0-rc.2, 21.2.15, 20.3.22, and 19.2.23.
Critical Impact
Attackers who control the host element or selector argument passed to createComponent can achieve client-side script execution, leading to session hijacking, credential theft, or unauthorized actions in the user's browser context.
Affected Products
- Angular @angular/core versions prior to 22.0.0-rc.2
- Angular @angular/core versions prior to 21.2.15 and 20.3.22
- Angular @angular/core versions prior to 19.2.23
Discovery Timeline
- 2026-06-22 - CVE-2026-52725 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-52725
Vulnerability Analysis
The vulnerability exists in Angular's dynamic component creation pipeline. The createComponent function programmatically instantiates components at runtime and attaches them to a specified host DOM element. Angular's framework normally enforces restrictions that prevent script-execution contexts from being used as component hosts. Prior to the fixed versions, createComponent did not validate whether the target host was a <script> element or a namespaced variant such as <svg:script>. When a component is initialized on such an element, the resulting DOM mutation can cause the browser to execute the contained content as JavaScript. The Exploit Prediction Scoring System (EPSS) score is 0.404%, reflecting low expected exploitation activity in the short term.
Root Cause
The root cause is missing validation of the host element type within the dynamic component instantiation path. Angular's selector and host resolution logic treated <script> and namespaced script elements the same as benign HTML elements. The framework's existing safeguards against unsafe DOM operations did not extend to the createComponent entry point. This represents an incomplete enforcement of Angular's safe-by-default rendering model.
Attack Vector
Exploitation requires that an attacker influence either the host element reference or the selector parameter passed to createComponent. Applications that derive these values from untrusted input — for example, route data, query parameters, or server responses — are exposed. The attack requires user interaction, since the script element must be rendered in a victim's browser session. Once mounted, the script tag executes attacker-controlled content within the application's origin, enabling Cross-Site Scripting (XSS) outcomes such as token theft and authenticated request forgery.
No public proof-of-concept code is available. For implementation specifics, see the GitHub Security Advisory GHSA-692r-grfm-v8x7 and the upstream fixes in GitHub Pull Request #68686 and GitHub Pull Request #68713.
Detection Methods for CVE-2026-52725
Indicators of Compromise
- Unexpected <script> or <svg:script> nodes injected into the rendered DOM of Angular applications.
- Outbound requests from browsers to attacker-controlled domains originating from authenticated application sessions.
- Browser console errors referencing component instantiation on script-typed host elements.
Detection Strategies
- Audit application source for calls to createComponent where the host element or selector is derived from user-controlled input.
- Deploy Content Security Policy (CSP) reporting to capture script-src violations indicative of dynamic script injection.
- Implement client-side runtime monitoring to flag DOM mutations that add script nodes after initial page load.
Monitoring Recommendations
- Monitor web application firewall (WAF) and CDN logs for payloads containing <script> or svg:script patterns in request parameters.
- Track Angular dependency versions across build pipelines using software composition analysis (SCA) tooling.
- Review CSP violation reports for unexpected inline script execution attempts on production endpoints.
How to Mitigate CVE-2026-52725
Immediate Actions Required
- Upgrade @angular/core to 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23 depending on the major version in use.
- Identify and remove any code path that passes user-controlled values to the createComponent host or selector parameters.
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources.
Patch Information
The Angular team addressed the issue by adding validation in the dynamic component instantiation logic to reject <script> and namespaced script elements as component hosts. The fixes are tracked in GitHub Pull Request #68686 and GitHub Pull Request #68713. Upgrade paths are documented in the GitHub Security Advisory GHSA-692r-grfm-v8x7.
Workarounds
- Validate and constrain any input used to resolve host elements or selectors for createComponent to a fixed allowlist of safe tags.
- Apply a strict CSP with script-src 'self' and avoid unsafe-inline to limit the impact of any injected script tags.
- Sanitize server-rendered template fragments and route data before they reach Angular component instantiation logic.
# Configuration example
npm install @angular/core@21.2.15
# Or for Angular 20.x
npm install @angular/core@20.3.22
# Or for Angular 19.x
npm install @angular/core@19.2.23
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

