CVE-2026-54265 Overview
CVE-2026-54265 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Angular @angular/compiler package. The flaw allows attackers to bypass Angular's built-in Document Object Model (DOM) property sanitization through two-way property bindings. When sensitive native DOM properties such as innerHTML, srcdoc, src, href, data, or sandbox are bound using two-way syntax, the template compiler fails to apply the schema-derived sanitizer. Equivalent one-way bindings are correctly sanitized, leaving two-way bindings as an exploitable gap. The issue affects Angular versions prior to 22.0.1, 21.2.17, and 20.3.25.
Critical Impact
Attackers who control values bound via two-way syntax to sensitive DOM properties can inject script content, leading to client-side XSS in Angular applications.
Affected Products
- Angular versions prior to 22.0.1
- Angular versions prior to 21.2.17
- Angular versions prior to 20.3.25
Discovery Timeline
- 2026-06-22 - CVE-2026-54265 published to the National Vulnerability Database (NVD)
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-54265
Vulnerability Analysis
The vulnerability resides in Angular's template compiler sanitizer resolution logic. Angular applies schema-derived sanitizers to DOM properties that handle untrusted content. The sanitizer maps security-sensitive properties (for example, innerHTML, srcdoc, src, href, data, sandbox) to a sanitization function during compilation.
The compiler's resolver handled Property, Attribute, and DomProperty operation kinds but omitted the TwoWayProperty operation. As a result, bindings written as [(innerHTML)]="value" or bindon-innerHTML="value" emitted property updates without a sanitizer function. An attacker controlling value can place HTML or script payloads directly into the DOM, achieving XSS within the Angular application context.
Root Cause
The sanitizer resolution phase in packages/compiler/src/template/pipeline/src/phases/resolve_sanitizers.ts did not include ir.OpKind.TwoWayProperty in its switch handling. Two-way bindings to sensitive native DOM properties therefore bypassed the schema-driven sanitizer lookup applied to one-way equivalents.
Attack Vector
Exploitation requires an Angular template using two-way binding on a sanitization-sensitive DOM property and a path for attacker-controlled data to reach the bound expression. User interaction is required, consistent with stored or reflected XSS patterns. Once injected, payloads execute in the victim's browser session.
// Patch from packages/compiler/src/template/pipeline/src/phases/resolve_sanitizers.ts
// fix(compiler): sanitize two-way properties
case ir.OpKind.Property:
case ir.OpKind.Attribute:
case ir.OpKind.DomProperty:
+ case ir.OpKind.TwoWayProperty:
let sanitizerFn: o.ExternalReference | null = null;
if (
Array.isArray(op.securityContext) &&
Source: Angular commit 3c70270c
Detection Methods for CVE-2026-54265
Indicators of Compromise
- Application logs showing unexpected <script>, <iframe>, or javascript: content rendered through two-way bound properties.
- Client-side error reports referencing Content Security Policy (CSP) violations on Angular routes that use two-way bindings.
- Outbound requests from end-user browsers to attacker-controlled domains originating from Angular-served pages.
Detection Strategies
- Perform static analysis of Angular templates for [(innerHTML)], [(srcdoc)], [(src)], [(href)], [(data)], [(sandbox)], and equivalent bindon-* syntaxes.
- Audit data flow paths to confirm whether two-way bound values originate from user input, URL parameters, or backend responses that include user-controlled fields.
- Review dependency manifests (package.json, package-lock.json, yarn.lock) for Angular versions below 22.0.1, 21.2.17, and 20.3.25.
Monitoring Recommendations
- Enable CSP reporting endpoints to capture inline script and event-handler violations triggered by injected payloads.
- Monitor browser telemetry for anomalous DOM mutation patterns on pages built with vulnerable Angular versions.
- Track Software Composition Analysis (SCA) findings for the @angular/compiler package across CI/CD pipelines.
How to Mitigate CVE-2026-54265
Immediate Actions Required
- Upgrade Angular to version 22.0.1, 21.2.17, or 20.3.25 depending on the major version in use.
- Rebuild and redeploy all Angular applications after upgrading; the fix is applied at template compile time.
- Inventory templates for two-way bindings on sanitization-sensitive DOM properties and validate the data sources feeding them.
Patch Information
The fix is delivered in Angular 22.0.1, 21.2.17, and 20.3.25. The compiler patch adds ir.OpKind.TwoWayProperty to the sanitizer resolution switch in resolve_sanitizers.ts, ensuring two-way bindings receive the same schema-derived sanitizer as one-way bindings. See the GitHub Security Advisory GHSA-58w9-8g37-x9v5 and Pull Request #69107 for details.
Workarounds
- Replace two-way bindings on sensitive DOM properties with one-way bindings combined with explicit event handlers until the upgrade is applied.
- Wrap untrusted values with DomSanitizer.sanitize() before assignment when two-way syntax cannot be removed.
- Deploy a strict Content Security Policy that blocks inline scripts and restricts script sources to trusted origins.
# Upgrade Angular to a patched release
npm install @angular/compiler@22.0.1 @angular/core@22.0.1
# Or for 21.x line
npm install @angular/compiler@21.2.17 @angular/core@21.2.17
# Or for 20.x line
npm install @angular/compiler@20.3.25 @angular/core@20.3.25
# Verify installed version
npm list @angular/compiler
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

