[
https://issues.apache.org/jira/browse/NIFI-15459?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18051403#comment-18051403
]
ASF subversion and git services commented on NIFI-15459:
--------------------------------------------------------
Commit 58fc0b18c4ef32ebd73d22bd2a084445ed694660 in nifi's branch
refs/heads/main from Rob Fellows
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=58fc0b18c4 ]
NIFI-15459 - Security: Update Angular to 20.3.16 to patch XSS vulnerability
(CVE-2026-22610) (#10762)
Addresses high-severity XSS vulnerability in Angular's SVG script attribute
sanitization.
Changes:
- Updated @angular/* packages from 20.3.15 to 20.3.16 (security patch)
- Regenerated package-lock.json with updated dependency tree
Verification:
- Build completes successfully
- All 271 test suites pass (1,303 tests total)
- npm audit: 0 vulnerabilities
- No regressions detected
Vulnerability Details:
- CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6)
- Affects: Angular 20.0.0-next.0 through 20.3.15
- Issue: SVG script href/xlink:href attributes not recognized as Resource URL
contexts
- Fixed in: Angular 20.3.16
References:
- https://github.com/advisories/GHSA-jrmj-c5cx-3cw6
- https://osv.dev/vulnerability/GHSA-jrmj-c5cx-3cw6
> UI - Address dependabot issues relating to: Angular has XSS Vulnerability via
> Unsanitized SVG Script Attributes
> ---------------------------------------------------------------------------------------------------------------
>
> Key: NIFI-15459
> URL: https://issues.apache.org/jira/browse/NIFI-15459
> Project: Apache NiFi
> Issue Type: Task
> Components: Core UI
> Reporter: Rob Fellows
> Assignee: Rob Fellows
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> [https://github.com/apache/nifi/security/dependabot/518]
> [https://github.com/apache/nifi/security/dependabot/516]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
