Primary

Context

Angular Expressions Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in Angular Expressions versions prior to 1.0.1. The issue arises when user-controlled input is passed to the `expressions.compile()` function. In a browser environment, this could allow an attacker to execute arbitrary scripts. On the server side, any JavaScript expression could be executed, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server or client side, depending on where Angular Expressions is used.

Reproduction

To reproduce this vulnerability, use Angular Expressions version prior to 1.0.1 and call the `expressions.compile()` method with user-controlled input. This can be done in a browser environment, where the compiled expression will be executed as a script, or on the server, where it will be executed as JavaScript code.

Remediation

Upgrade Angular Expressions to version 1.0.1 or later.

Added: May 15, 2026, 9:26 AM

Updated: May 15, 2026, 9:26 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

8.3

relevance

0.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.7

remediation

8.3

relevance

0.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Angular Expressions Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

peerigon angular-expressions

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating