Angular Core v19 Update Closes Critical XSS Vulnerability in SVG Script Handling (CVE-2026-22610)

A critical security vulnerability in the Angular framework has been patched, forcing a major version jump from v16 to v19 for dependent projects. The flaw, tracked as CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6), is a cross-site scripting (XSS) vulnerability that stems from the framework's failure to properly sanitize SVG script attributes. This creates a direct vector for attackers to inject and execute malicious scripts within applications built on affected versions of Angular.

The vulnerability specifically resides in the `@angular/core` package. Automated dependency management tools like Renovate are flagging the update as a security priority, automatically generating pull requests to upgrade from versions as old as 16.2.3 directly to the patched v19.0.0. The significant version leap underscores the severity of the underlying security issue, which bypasses Angular's built-in sanitization safeguards for a common web format.

This patch imposes immediate pressure on development teams across the global software ecosystem. Any application using Angular for front-end rendering that processes user-provided SVG content is potentially at risk until the update is applied. The autoclosure of related update tickets signals that maintaining outdated dependencies is no longer an option, transforming a routine maintenance task into an urgent security mandate. Organizations must now audit their Angular-based projects and prioritize this update to mitigate the risk of client-side code injection attacks.