Aikido Intel
Secure My Code
Intel

AIKIDO-2025-10836

@kolkov/angular-editor is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Nov 26, 2025

71

High Risk

This Affects:

JS@kolkov/angular-editor
0.1.0 - 3.0.2
Fixed in 3.0.3
Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to an XSS vulnerability when setting editor value via writeValue(), where the refreshView() method unsafely sets innerHTML without sanitization, bypassing the sanitize: true configuration and allowing XSS payloads to execute; this affects all programmatic value setting methods, including ngModel binding, FormControl setValue/patchValue, and direct property assignment. An attacker can exploit this vulnerability by inserting a malicious payload into the editor and toggling the preview mode, which can trigger the execution of JavaScript code.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@kolkov/angular-editor is vulnerable to Cross-Site Scripting (XSS) in versions 0.1.0 - 3.0.2.

How to fix this

Upgrade the @kolkov/angular-editor library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done