{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/angular-expressions/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-44643"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["angular-expressions (\u003c= 1.5.1)"],"_cs_severities":["critical"],"_cs_tags":["rce","angular-expressions","cve-2026-44643"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eangular-expressions\u003c/code\u003e library, up to version 1.5.1, is vulnerable to remote code execution. This vulnerability, identified as CVE-2026-44643, allows an attacker to craft a malicious expression that escapes the sandbox environment of the library. By exploiting this flaw, an attacker can execute arbitrary code on the system where the vulnerable library is used. This poses a significant risk to applications utilizing \u003ccode\u003eangular-expressions\u003c/code\u003e for expression evaluation, potentially leading to complete system compromise. The vulnerability was discovered by San Gil from SecurityOffice. Version 1.5.2 of \u003ccode\u003eangular-expressions\u003c/code\u003e contains the fix.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version (\u0026lt;= 1.5.1) of the \u003ccode\u003eangular-expressions\u003c/code\u003e library.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious expression designed to exploit the sandbox escape vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious expression into the application, potentially through user input or other application logic.\u003c/li\u003e\n\u003cli\u003eThe application uses the \u003ccode\u003eexpressions.compile()\u003c/code\u003e function to compile the malicious expression. For example: \u003ccode\u003eexpressions.compile(\u0026quot;a | __proto__\u0026quot;)({}, {})\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eangular-expressions\u003c/code\u003e library fails to properly sanitize the expression, allowing it to bypass the sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe expression gains access to underlying JavaScript engine internals (e.g., \u003ccode\u003e__proto__\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this access to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThis arbitrary code execution could lead to complete compromise of the affected system, including data exfiltration, service disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the system hosting the application utilizing the vulnerable \u003ccode\u003eangular-expressions\u003c/code\u003e library. This can lead to complete system compromise, including data exfiltration, installation of malware, or denial of service. The severity is critical due to the potential for unauthenticated remote code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eangular-expressions\u003c/code\u003e library to version 1.5.2 or later to patch CVE-2026-44643.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-44643 Exploitation — angular-expressions Sandbox Escape\u003c/code\u003e to detect attempts to exploit the vulnerability in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation to prevent the injection of malicious expressions into applications using \u003ccode\u003eangular-expressions\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eContinuously monitor web server logs for suspicious activity related to expression compilation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:22:08Z","date_published":"2026-05-11T16:22:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-angular-expression-rce/","summary":"A remote code execution vulnerability (CVE-2026-44643) exists in angular-expressions versions 1.5.1 and earlier, allowing an attacker to execute arbitrary code on the system by crafting a malicious expression that bypasses the sandbox.","title":"Angular Expressions Remote Code Execution via Malicious Filter","url":"https://feed.craftedsignal.io/briefs/2026-05-angular-expression-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Angular-Expressions","version":"https://jsonfeed.org/version/1.1"}