CVE-2026-44643: Angular Expressions - Remote Code Execution using filters

May 11, 2026 (updated May 13, 2026)

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

const expressions = require("angular-expressions");
const result = expressions.compile("a | __proto__")({}, {});

This should throw the error : Filter ‘proto’ is not defined, however, this shows :

Uncaught SyntaxError: Unexpected identifier ‘Object’

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

References

github.com/advisories/GHSA-pw8r-6689-xvf4
github.com/peerigon/angular-expressions/security/advisories/GHSA-pw8r-6689-xvf4
nvd.nist.gov/vuln/detail/CVE-2026-44643

Code Behaviors & Features

Detect and mitigate CVE-2026-44643 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →