External risk intelligence

Attacker can take control of systems using Angular Expressions

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-44643

A serious flaw in Angular Expressions, used by many web applications, lets attackers run any code on your system. Update now to prevent complete takeover.

4Halo Surface Signal

Peerigon Angular Expressions

before 1.5.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-44643

The vulnerability exists in a library designed for dynamic data binding within web applications. Because these applications frequently process user input and are commonly deployed to the public internet, the vulnerable code path is often reachable in standard web-facing environments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Angular Expressions allows an attacker to execute arbitrary code by crafting malicious expressions. This is critical because it can compromise the entire system where the affected code runs.

  • Arbitrary code execution is a severe risk.
  • Any application using this library is potentially impacted.
  • The issue can be reached remotely.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting a malicious expression that bypasses the sandbox and executes arbitrary code. This could occur if a web application uses a vulnerable version of angular-expressions to process untrusted input, allowing the attacker to compromise the server.

  • Exploitable via untrusted input.
  • Requires use of expression filters.
  • Remote code execution is the goal.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to weaponize this vulnerability due to its presence in a standalone module for a popular web framework, making it accessible in common web application scenarios. The ability to execute arbitrary code via filter manipulation presents a direct pathway for exploitation.

  • Exploitable via malicious expressions.
  • No widespread exploitation observed yet.
  • Public exploit proof-of-concept exists.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of Angular Expressions to version 1.5.2 or later to fix arbitrary code execution. If patching is delayed, block or filter malicious expressions at the network edge.

  • Update angular-expressions to 1.5.2.
  • Block network traffic with suspicious expressions.
  • Monitor for unexpected code execution.

Frequently asked questions

What is Angular Expressions and what is it used for?

Angular Expressions is a standalone module for the Angular.JS web framework. It provides a way to evaluate expressions, often used for dynamic data binding in web applications, allowing content to change automatically when underlying data is modified.

What weakness does CVE-2026-44643 reveal in Angular Expressions?

CVE-2026-44643 describes a CWE-95 weakness, also known as 'Improper Neutralization of Directives in Dynamically Evaluated Code'. This means a malicious expression using filters can escape security boundaries and run unintended commands on the system.

How can an attacker exploit this Angular Expressions vulnerability?

An attacker can exploit this by sending a specially crafted expression that uses filters to bypass security measures. This could happen if a web application processes untrusted input using a vulnerable version of Angular Expressions, and the attacker's input triggers the bug.

Who should be concerned about CVE-2026-44643?

Organizations running web applications that use Angular Expressions and process user input should be concerned. Halo Surface Signal indicates this is 'Likely' exploitable externally, meaning internet-facing applications are particularly at risk.

What is the first step to address this Angular Expressions vulnerability?

The immediate first step is to update Angular Expressions to version 1.5.2 or later. If immediate patching is not possible, consider implementing network-level filtering for suspicious expressions as a temporary measure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified