EXECUTIVE SUMMARY:
CVE-2026-44643 with a CVSS score of 9.0 is a critical vulnerability affecting the npm/angular-expressions package, specifically impacting versions less than or equal to 1.5.1. The vulnerability arises from a remote code execution issue in Angular Expressions, a module providing expressions for the Angular.JS web framework. Prior to version 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. An attacker can exploit this vulnerability by crafting a malicious expression, which can be executed through the angular-expressions module, requiring only read access to a system where the vulnerable package is installed. The successful exploitation of this vulnerability grants an attacker the capability to execute arbitrary code on the system, leading to a significant business impact, including potential data breaches, system compromise, and financial loss. Exploitation of this vulnerability is dependent on an attacker being able to inject malicious code into the angular-expressions module, which can occur through various means, including untrusted user input or third-party library dependencies.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44643 with a CVSS score of 9.0 is a critical vulnerability affecting the npm/angular-expressions package, specifically impacting versions less than or equal to 1.5.1. The vulnerability arises from a remote code execution issue in Angular Expressions, a module providing expressions for the Angular.JS web framework. Prior to version 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. An attacker can exploit this vulnerability by crafting a malicious expression, which can be executed through the angular-expressions module, requiring only read access to a system where the vulnerable package is installed. The successful exploitation of this vulnerability grants an attacker the capability to execute arbitrary code on the system, leading to a significant business impact, including potential data breaches, system compromise, and financial loss. Exploitation of this vulnerability is dependent on an attacker being able to inject malicious code into the angular-expressions module, which can occur through various means, including untrusted user input or third-party library dependencies.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pw8r-6689-xvf4