CVE-2026-44643
Angular Expressions - Remote Code Execution using filters
Description
## Impact An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. Example of vulnerable code: ``` const expressions = require("angular-expressions"); const result = expressions.compile("a | __proto__")({}, {}); ``` This should throw the error : Filter '__proto__' is not defined, however, this shows : Uncaught SyntaxError: Unexpected identifier 'Object' With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. ## Vulnerable versions : angular-expressions <= 1.5.1 ## Patches The problem has been patched in version 1.5.2 of angular-expressions. ## Credits Credits go to San Gil from [www.securityoffice.io](https://securityoffice.io/) who has found the issue and reported it to us.
How to fix CVE-2026-44643
To remediate CVE-2026-44643, upgrade the affected package to a fixed version below.
- —upgrade to 1.5.2 or later
Is CVE-2026-44643 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.5.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |