Angular vulnerable to Cross-site Scripting

Severity:: Medium

Description

angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping <option> elements in <select> ones changes parsing behavior, leading to possibly unsanitizing code.

Recommendation

Update the angular package to the latest compatible version. Followings are version details:

Affected version(s): < 1.8.0
Patched version(s): 1.8.0

References

GHSA-mhp6-pxh8-r675
snyk.io
lists.apache.org
CVE-2020-7676
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

angular Prototype Pollution vulnerability - CVE-2019-10768
svelte vulnerable to Cross-site Scripting - CVE-2025-15265
AngularJS allows attackers to bypass common image source restrictions (GHSA-mqm9-c95h-x2p6) - CVE-2024-8373
AngularJS allows attackers to bypass common image source restrictions - CVE-2024-8372

Tags:: npm; angular

Anything's wrong? Let us know Last updated on November 20, 2025