Stored XSS Vulnerability in Angular via SVG and MathML Bypass
A high-severity vulnerability, tracked as CVE-2025-66412, has been discovered in the Angular framework, allowing stored cross-site scripting (XSS) attacks through SVG animation, SVG URL, and MathML attributes. The flaw exists in the Angular Template Compiler, where the internal security schema fails to properly classify certain URL-holding attributes as requiring strict URL security, enabling attackers to inject malicious scripts that bypass Angular's built-in sanitization. This vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17, and has been addressed in these subsequent releases.
Attackers exploiting this vulnerability can persistently inject malicious JavaScript into web applications built with vulnerable Angular versions, potentially compromising user data and session integrity. Organizations using Angular are strongly advised to update to the fixed versions to mitigate the risk of exploitation. The vulnerability is remotely exploitable and has been rated as high severity, with a CVSS 4.0 score of 8.5, underscoring the urgency for prompt remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Public reporting highlights CVE-2025-66412 sanitization bypass details
A public vulnerability report described CVE-2025-66412 as a high-severity Angular flaw that allows stored XSS by bypassing sanitization through SVG and MathML-related vectors. The reporting reiterated the vulnerability's impact and exploit path but did not introduce a separate new incident.
Angular fixes stored XSS flaw CVE-2025-66412 in multiple release branches
Angular addressed CVE-2025-66412, a high-severity stored XSS vulnerability in the Template Compiler caused by incomplete security schema handling for certain SVG, SVG URL, and MathML attributes. The issue was fixed in versions 21.0.2, 20.3.15, and 19.2.17, with earlier versions affected.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
High-Severity Angular Flaw (CVE-2025-66412) Allows Stored XSS via SVG and MathML Bypass
securityonline.info
Open sourceCVE-2025-66412 - Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cross-Site Scripting Vulnerabilities in SiYuan, Angular, and @leanprover/unicode-input-component
Multiple newly reported **cross-site scripting (XSS)** vulnerabilities affect unrelated software products, including **SiYuan**, **Angular**, and **@leanprover/unicode-input-component**. In SiYuan, incomplete SVG sanitization can let an unauthenticated attacker deliver a crafted URL that executes arbitrary JavaScript in the application's origin, enabling theft of session tokens, cookies, and API keys, as well as unauthorized access to notes, document contents, and configuration data. In Electron-based deployments, the impact may escalate to **remote code execution** if insecure web preferences such as `nodeIntegration` are enabled or `contextIsolation` is disabled. Angular disclosed a separate XSS flaw, tracked as **CVE-2026-32635**, caused by a sanitization bypass involving internationalized security-sensitive attributes such as `href` when combined with untrusted data binding; fixed versions include `22.0.0-next.3`, `21.2.4`, `20.3.18`, and `19.2.20`. A third, distinct issue, **CVE-2026-32732**, affects **@leanprover/unicode-input-component** and allows arbitrary JavaScript execution in a victim's browser session, potentially enabling session abuse, data access, and unauthorized backend requests. These are separate vulnerability disclosures rather than a single coordinated incident, and the content is substantive security reporting rather than fluff.
Apr 1, 2026
Stored XSS in sanitize-html Defaults via Disallowed `xmp` Tag Bypass
A vulnerability tracked as **CVE-2026-44990** allows stored cross-site scripting in `sanitize-html` when applications use the library’s default configuration and later render sanitized user content as trusted HTML. The flaw affects versions prior to **2.17.4** and stems from the handling of the disallowed `xmp` element: because `htmlparser2` treats `xmp` as a raw-text tag, attacker-supplied markup inside it is preserved as text during sanitization but can be emitted back as active HTML or JavaScript under the default `disallowedTagsMode: 'discard'` behavior. GitHub’s advisory and the upstream patch say the bypass can let payloads such as `<script>`, `img` event handlers, and `svg`-embedded script content survive filtering and execute in a victim’s browser. The fix in **2.17.4** adds `xmp` to `nonTextTags` so content inside a disallowed `xmp` tag is dropped instead of re-emitted, and regression tests were added to confirm the malicious content is removed. The issue was reported by **Vincenzo Turturro** (`sushi-gif`), and users of affected `sanitize-html` deployments, including those in **ApostropheCMS**, were urged to update immediately.
Jun 13, 2026
Angular SSR Flaw Enables SSRF via Malformed URLs in Server-Side Rendering
Angular disclosed a **server-side request forgery (SSRF)** issue in `@angular/platform-server` that affects applications using Server-Side Rendering. The flaw, tracked as `CVE-2026-41423`, stems from improper handling of protocol-relative and backslash-based URLs passed from server engines such as Express into Angular rendering functions. A crafted request can cause Angular to treat an attacker-controlled domain as the application's origin, allowing relative `HttpClient` requests and `PlatformLocation.hostname` references to resolve to external infrastructure. The issue can expose internal services, including private APIs and cloud metadata endpoints, and related advisory material also links the bug family to **header injection** risks in Angular SSR deployments. Angular fixed the vulnerability in versions `19.2.21`, `20.3.19`, `21.2.9`, and `22.0.0-next.8`, leaving earlier releases vulnerable where SSR is enabled and untrusted request paths can influence rendering context.
May 28, 2026