Main Vulnerability Database Vulnerabilities #VU118873

Stored cross-site scripting in Angular - #VU118873

Published: December 1, 2025

Vulnerability identifier: #VU118873

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Google

Affected software:
Angular

Detailed vulnerability description

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the Angular Template Compiler. A remote user can use SVG animation elements, SVG URL or MathML attributes to permanently inject and execute arbitrary JavaScript code in victim's browser.

Remediation

Install updates from vendor's website.

Sources

https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49

Stored cross-site scripting in Angular - #VU118873

Detailed vulnerability description

Remediation

Sources

Please verify you're human