Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.3

CVE-2026-44643: Angular Expressions Remote Code Execution in Versions 1.5.1 and Earlier

CVE-2026-44643 GHSA-pw8r-6689-xvf4 GHSA-pw8r-6689-xvf4
Summary

Using Angular Expressions versions 1.5.1 and earlier, an attacker could potentially execute arbitrary code on your system. This is a serious issue because it could allow an attacker to gain full control over your system. To protect yourself, update to version 1.5.2 or later of Angular Expressions.

What to do
  • Update edi9999 angular-expressions to version 1.5.2.
  • Update angular-expressions to version 1.5.2.
Affected software
Ecosystem VendorProductAffected versions
npm edi9999 angular-expressions <= 1.5.1
< 1.5.2
Fix: upgrade to 1.5.2
npm angular-expressions <= 1.5.1
< 1.5.2
Fix: upgrade to 1.5.2
peerigon angular-expressions < 1.5.2
cpe:2.3:a:peerigon:angular-expressions:*:*:*:*:*:node.js:*:*
Original title
Angular Expressions - Remote Code Execution using filters
Original description
## Impact

An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system.

Example of vulnerable code:

```
const expressions = require("angular-expressions");
const result = expressions.compile("a | __proto__")({}, {});
```

This should throw the error : Filter '__proto__' is not defined, however, this shows :

Uncaught SyntaxError: Unexpected identifier 'Object'

With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system.

## Vulnerable versions :

angular-expressions <= 1.5.1

## Patches

The problem has been patched in version 1.5.2 of angular-expressions.

## Credits

Credits go to San Gil from [www.securityoffice.io](https://securityoffice.io/) who has found the issue and reported it to us.
nvd CVSS4.0 9.3
Vulnerability type
CWE-95
Published: 11 May 2026 · Updated: 30 May 2026 · First seen: 11 May 2026