CVE-2025-66412
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML AttributesAngular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 21.0.2, 20.3.15, and 19.2.17, A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain javascript: URLs) as requiring strict URL security, enabling the injection of malicious scripts. This vulnerability is fixed in 21.0.2, 20.3.15, and 19.2.17.
We have discovered 16,808 live websites that are affected by CVE-2025-66412.
Affected Software
| Product |  Angular |
| Category | Web Application Frameworks |
| Vulnerable Domains | 16,808 live websites (67% of Angular install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 408 versions ( 97% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Dec 1, 2025
- Updated - Dec 2, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-66412 United States | 6,877 websites |
 Germany | 1,903 websites |
 Iran | 782 websites |
 France | 613 websites |
 GB | 537 websites |
 Russia | 528 websites |
 Brazil | 477 websites |
 Italy | 363 websites |
 India | 304 websites |
 Belgium | 271 websites |
Website Distribution by TLD
Number of websites using CVE-2025-66412| .com | 5,658 websites |
| .de | 1,357 websites |
| .org | 542 websites |
| .co.uk | 465 websites |
| .ru | 437 websites |
| .fr | 404 websites |
| .it | 358 websites |
| .com.br | 339 websites |
| .be | 315 websites |
| .net | 291 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-66412
Top websites that are affected by CVE-2025-66412. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.org | United States | *** | |
| ****.ir | Iran | *,*** | |
| ************.com | United States | *,*** | |
| *************.net | United States | *,*** | |
| ***.fr | France | *,*** | |
| ********.com | United States | *,*** | |
| ******.*****.com |  Luxembourg | *,*** | |
| ***********.***.au |  Australia | *,*** | |
| ******.ru | Russia | *,*** | |
| *****.com | United States | *,*** |
FAQ
CVE-2025-66412 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Angular
A total of 16,808 websites have been identified as vulnerable to CVE-2025-66412, based on global website indexing conducted by WebTechSurvey.
The Angular is affected by the CVE-2025-66412 vulnerability.
Angular versions up to 21.0.2 are vulnerable to CVE-2025-66412.
CVE-2025-66412 is resolved in version 21.0.2 of Angular.