Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CVE-2026-44643

High

9.3/10

Summary

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to version 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2.

Attack Complexity: LOW
Attack Vector: NETWORK
User Interaction: NONE
Privileges Required: NONE

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

References

Advisory

Advisory Timeline

Published May 11, 2026

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CVE-2026-44643

Summary

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS