CVE-2026-44643

CRITICAL
Published May 11, 2026 Modified May 13, 2026 CWE-95

Description

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.

CVSS v3.1 Score

10.0
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS — Exploit Prediction

0.0011
Probability of exploitation
0.29%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-95 CWE-95

Affected Products

Vendor Product
peerigon angular-expressions

References

Frequently Asked Questions

What is CVE-2026-44643? +
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2. It has a CVSS v3.1 base score of 10.0 (CRITICAL).
How severe is CVE-2026-44643? +
CVE-2026-44643 has a CVSS v3.1 score of 10.0 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately. The EPSS score is 0.0011, placing it in the 0th percentile for exploitation probability.
What products are affected by CVE-2026-44643? +
CVE-2026-44643 affects products from peerigon, specifically: angular-expressions. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2026-44643? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2013-10070

PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() …
CVE-2025-58365

The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, …
CVE-2025-47271

The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in …
CVE-2025-4318

The AWS Amplify Studio UI component property expressions in the aws-amplify/amplify-codegen-ui package lack input validation. This could potentially allow an …
CVE-2025-49598

conda-forge-ci-setup is a package installed by conda-forge each time a build is run on CI. The conda-forge-ci-setup-feedstock setup script is …
CVE-2011-10033

The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-44643 — free, no signup required.

Start Free Scan