Main Vulnerability Database Vulnerabilities #VU118873

#VU118873 Stored cross-site scripting in Angular

Published: December 1, 2025

Vulnerability identifier: #VU118873

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Angular

Software vendor:
Google

Description

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Angular Template Compiler. A remote user can use SVG animation elements, SVG URL or MathML attributes to permanently inject and execute arbitrary JavaScript code in victim's browser.

Remediation

Install updates from vendor's website.

External links

https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

#VU118873 Stored cross-site scripting in Angular

Description

Remediation

External links

Please verify you're human