Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-22610
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
- ❌ compiler-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-10
Fix Resolution: angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7
Step up your Open Source Security Game with Mend here
CVE-2025-66412
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
- ❌ compiler-15.2.2.tgz (Vulnerable Library)
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
Publish Date: 2025-12-01
URL: CVE-2025-66412
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-12-01
Fix Resolution: https://github.com/angular/angular.git - 21.0.2,https://github.com/angular/angular.git - 19.2.17,https://github.com/angular/angular.git - 20.3.15
Step up your Open Source Security Game with Mend here
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Publish Date: 2026-01-10
URL: CVE-2026-22610
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-jrmj-c5cx-3cw6
Release Date: 2026-01-10
Fix Resolution: angular - 20.3.16,angular - 21.0.7,angular - 19.2.18,https://github.com/angular/angular.git - v19.2.18,https://github.com/angular/angular.git - v20.3.16,https://github.com/angular/angular.git - v21.1.0-rc.0,https://github.com/angular/angular.git - v21.0.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - compiler-15.2.2.tgz
Angular - the compiler library
Library home page: https://registry.npmjs.org/@angular/compiler/-/compiler-15.2.2.tgz
Path to dependency file: /MangoAPI.Client/package.json
Path to vulnerable library: /MangoAPI.Client/node_modules/@angular/compiler/package.json
Dependency Hierarchy:
Found in HEAD commit: 0c9bb5bd04415d4d387e12646c7ce749fd8ffae2
Found in base branch: main
Vulnerability Details
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
Publish Date: 2025-12-01
URL: CVE-2025-66412
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-12-01
Fix Resolution: https://github.com/angular/angular.git - 21.0.2,https://github.com/angular/angular.git - 19.2.17,https://github.com/angular/angular.git - 20.3.15
Step up your Open Source Security Game with Mend here