Cyber Resilience

CVE-2026-44643

CriticalRCE

Published: 11 May 2026

Published
11 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0048 37.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-44643 is a critical-severity Eval Injection (CWE-95) vulnerability in Peerigon Angular-Expressions. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed…

more

in 1.5.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Sandbox escape in AngularJS expression evaluation directly enables client-side arbitrary code execution via malicious input (CWE-95).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48962Shared CWE-95
CVE-2026-44128Shared CWE-95
CVE-2026-33618Shared CWE-95
CVE-2013-10051Shared CWE-95
CVE-2025-8420Shared CWE-95
CVE-2026-35002Shared CWE-95
CVE-2026-29091Shared CWE-95
CVE-2026-31254Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2026-42079Shared CWE-95

Affected Assets

peerigon
angular-expressions
≤ 1.5.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References