Update @angular/compiler to v20.3.16 (release/9.4)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@angular/compiler (source)	20.3.15 → 20.3.16

---

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

CVE-2026-22610 / GHSA-jrmj-c5cx-3cw6

More information

Details

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG <script> elements as a Resource URL context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, <script [attr.href]="userInput"> the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a data:text/javascript URI or a link to an external malicious script.

Impact

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

• Session Hijacking: Stealing session cookies, localStorage data, or authentication tokens.
• Data Exfiltration: Accessing and transmitting sensitive information displayed within the application.
• Unauthorized Actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

Attack Preconditions

1. The victim application must explicitly use SVG <script> elements within its templates.
2. The application must use property or attribute binding (interpolation) for the href or xlink:href attributes of those SVG scripts.
3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

Patches

• 19.2.18
• 20.3.16
• 21.0.7
• 21.1.0-rc.0

Workarounds

Until the patch is applied, developers should:

• Avoid Dynamic Bindings: Do not use Angular template binding (e.g., [attr.href]) for SVG <script> elements.
• Input Validation: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

Resources

• https://github.com/angular/angular/pull/66318

Severity

• CVSS Score: 8.5 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
• https://nvd.nist.gov/vuln/detail/CVE-2026-22610
• https://github.com/angular/angular/pull/66318
• https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
• https://github.com/angular/angular

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

angular/angular (@​angular/compiler)

v20.3.16

Compare Source

core

Commit	Type	Description
c2c2b4aaa8	fix	sanitize sensitive attributes on SVG script elements

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Matthbo]

Stupid maven metadata....