Stored XSS Vulnerability in Angular via SVG and MathML Bypass
A high-severity vulnerability, tracked as CVE-2025-66412, has been discovered in the Angular framework, allowing stored cross-site scripting (XSS) attacks through SVG animation, SVG URL, and MathML attributes. The flaw exists in the Angular Template Compiler, where the internal security schema fails to properly classify certain URL-holding attributes as requiring strict URL security, enabling attackers to inject malicious scripts that bypass Angular's built-in sanitization. This vulnerability affects Angular versions prior to 21.0.2, 20.3.15, and 19.2.17, and has been addressed in these subsequent releases.
Attackers exploiting this vulnerability can persistently inject malicious JavaScript into web applications built with vulnerable Angular versions, potentially compromising user data and session integrity. Organizations using Angular are strongly advised to update to the fixed versions to mitigate the risk of exploitation. The vulnerability is remotely exploitable and has been rated as high severity, with a CVSS 4.0 score of 8.5, underscoring the urgency for prompt remediation.
Timeline
Dec 3, 2025
Public reporting highlights CVE-2025-66412 sanitization bypass details
A public vulnerability report described CVE-2025-66412 as a high-severity Angular flaw that allows stored XSS by bypassing sanitization through SVG and MathML-related vectors. The reporting reiterated the vulnerability's impact and exploit path but did not introduce a separate new incident.
Dec 1, 2025
Angular fixes stored XSS flaw CVE-2025-66412 in multiple release branches
Angular addressed CVE-2025-66412, a high-severity stored XSS vulnerability in the Template Compiler caused by incomplete security schema handling for certain SVG, SVG URL, and MathML attributes. The issue was fixed in versions 21.0.2, 20.3.15, and 19.2.17, with earlier versions affected.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Cross-Site Scripting Vulnerabilities in SiYuan, Angular, and @leanprover/unicode-input-component
Multiple newly reported **cross-site scripting (XSS)** vulnerabilities affect unrelated software products, including **SiYuan**, **Angular**, and **@leanprover/unicode-input-component**. In SiYuan, incomplete SVG sanitization can let an unauthenticated attacker deliver a crafted URL that executes arbitrary JavaScript in the application's origin, enabling theft of session tokens, cookies, and API keys, as well as unauthorized access to notes, document contents, and configuration data. In Electron-based deployments, the impact may escalate to **remote code execution** if insecure web preferences such as `nodeIntegration` are enabled or `contextIsolation` is disabled. Angular disclosed a separate XSS flaw, tracked as **CVE-2026-32635**, caused by a sanitization bypass involving internationalized security-sensitive attributes such as `href` when combined with untrusted data binding; fixed versions include `22.0.0-next.3`, `21.2.4`, `20.3.18`, and `19.2.20`. A third, distinct issue, **CVE-2026-32732**, affects **@leanprover/unicode-input-component** and allows arbitrary JavaScript execution in a victim's browser session, potentially enabling session abuse, data access, and unauthorized backend requests. These are separate vulnerability disclosures rather than a single coordinated incident, and the content is substantive security reporting rather than fluff.
1 months ago
Client-Side Injection Flaws Expose Sessions and Sensitive Data in AVideo and dom-sanitizer
Two newly disclosed web application flaws expose users to client-side data theft through content injection. In AVideo's **TopMenu** plugin, a stored cross-site scripting issue tracked as `GHSA-GMPC-FXG2-VCMQ` carries a CVSS 3.1 score of **6.1** and allows attackers to inject JavaScript that can read `document.cookie`, steal active session tokens, and impersonate users or administrators. Because the TopMenu component is rendered globally across the application, a malicious payload can execute for all site visitors, creating broad exposure and enabling follow-on attacks such as credential harvesting and fake login prompts. A separate issue in `rhukster/dom-sanitizer`, tracked as `GHSA-93VF-569F-22CQ`, allows **CSS injection** through SVG `style` tags and is rated **4.7** under CVSS 3.1. The flaw can be exploited remotely without authentication when a victim renders a crafted SVG in a browser, potentially disclosing the victim's IP address, browser details, exact page URL, and sensitive DOM-resident data such as CSRF tokens or partial session identifiers. While the sanitizer flaw does not directly alter server-side state or disrupt availability, both disclosures highlight how server-side handling of untrusted content can be turned into browser-based theft of session and application data.
3 weeks ago
Google Chrome Heap Corruption Vulnerability (CVE-2025-13042) Enables Remote Code Execution
A high-severity vulnerability, tracked as CVE-2025-13042, was identified in the V8 JavaScript engine of Google Chrome, allowing remote attackers to exploit heap corruption through specially crafted HTML pages. This flaw could enable remote code execution on affected systems, posing significant risks to users who visit malicious websites. Google released an emergency fix to address the issue, urging users to update their browsers immediately to mitigate potential exploitation. The vulnerability affects Google Chrome versions prior to 142.0.7444.166, and its severity is underscored by a CVSS score of 8.8. Security advisories highlight that the flaw is remotely exploitable and could be leveraged by attackers to gain control over vulnerable systems. Organizations are advised to prioritize patching and monitor for any signs of exploitation in their environments.
1 months ago