Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25.
Angular: Two-Way Property Binding Sanitization Bypass (XSS)
Problem type
Affected products
angular
>= 22.0.0-next.0 < 22.0.1 - AFFECTED
>= 21.0.0-next.0 < 21.2.17 - AFFECTED
>= 20.0.0-next.0 < 20.3.25 - AFFECTED
<= 19.2.25 - AFFECTED
References
https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5
https://github.com/angular/angular/pull/69107
https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4
GitHub Security Advisories
GHSA-58w9-8g37-x9v5
@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
https://github.com/advisories/GHSA-58w9-8g37-x9v5An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings.
Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]="value" or bindon-innerHTML="value"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized.
This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS).
Impact
Any Angular application that uses two-way data binding ([()] or bindon-) on security-sensitive native DOM properties (like innerHTML, href on <a>, src on <img>/<iframe>, etc.) is vulnerable to this security bypass.
Once exploited, this allows a malicious actor to supply an unsanitized property binding value that bypasses core sanitization constraints. This could lead to the execution of arbitrary JavaScript within the target user's browser context, potentially resulting in session hijacking, sensitive data exposure, or unauthorized actions on behalf of the user.
Attack Preconditions
To successfully exploit this vulnerability, the following environment parameters and application states must concurrently exist:
- Two-Way Binding on Sensitive Properties: The application must bind to a sensitive native DOM property using the two-way binding syntax (e.g.,
<div [(innerHTML)]="userContent"></div>). - User-Controlled Input: The value bound to this property must be influenceable by user-controlled input.
- Absence of Additional Sanitization: The application does not perform separate manual sanitization (e.g., via
DomSanitizer) before passing the value to the bound property.
Patches
- 22.0.1
- 21.2.17
- 20.3.25
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-54265Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-54265",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T15:54:58.231Z",
"dateReserved": "2026-06-12T17:13:32.279Z",
"datePublished": "2026-06-22T15:27:38.802Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T15:27:38.802Z"
},
"title": "Angular: Two-Way Property Binding Sanitization Bypass (XSS)",
"descriptions": [
{
"lang": "en",
"value": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.1, 21.2.17, and 20.3.25, an issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization (such as innerHTML, srcdoc, src, href, data, or sandbox) is bound using the two-way binding syntax (e.g., [(innerHTML)]=\"value\" or bindon-innerHTML=\"value\"), the Angular template compiler failed to apply the appropriate schema-derived sanitizer resolution to the TwoWayProperty operation. As a result, native two-way DOM bindings were emitted without the required sanitizer function, whereas equivalent one-way bindings would be properly sanitized. This flaw enables an attacker who can control the value of a two-way bound sensitive property to bypass Angular's built-in sanitization logic, potentially leading to client-side Cross-Site Scripting (XSS). This vulnerability is fixed in 22.0.1, 21.2.17, and 20.3.25."
}
],
"affected": [
{
"vendor": "angular",
"product": "angular",
"versions": [
{
"version": ">= 22.0.0-next.0 < 22.0.1",
"status": "affected"
},
{
"version": ">= 21.0.0-next.0 < 21.2.17",
"status": "affected"
},
{
"version": ">= 20.0.0-next.0 < 20.3.25",
"status": "affected"
},
{
"version": "<= 19.2.25",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5",
"name": "https://github.com/angular/angular/security/advisories/GHSA-58w9-8g37-x9v5",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/angular/angular/pull/69107",
"name": "https://github.com/angular/angular/pull/69107",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4",
"name": "https://github.com/angular/angular/commit/3c70270c96677c0dd33585f2afe8e187113e5fb4",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-06-22T15:54:58.231Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}