CVE-2026-27970
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.
A high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-27970) has been identified in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript.
A Cross-site Scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:
- Session hijacking
- Data theft
- Malware distribution
- Defacement or phishing and
- Privilege escalation.
Details
Module Info
- Product: Angular
- Affected packages: @angular/core
- Affected versions: >= 21.2.0-next.0 <= 21.2.0-rc.0, >= 21.0.0-next.0 <= 21.1.5, >= 20.0.0-next.0 <= 20.3.16, >= 19.0.0-next.0 <= 19.2.18, <= 18.2.14
- GitHub repository: https://github.com/angular/angular
- Published packages: https://www.npmjs.com/package/@angular/core
- Package manager: npm
- Fixed in:
- OSS Angular v21.2.0, v21.1.6, v20.3.17, v19.2.19
Vulnerability Info
This high-severity vulnerability is found in the main @angular/core package in the listed versions of Angular.
Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user.
If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript.
Mitigation
Users of affected Angular packages should apply one of the following mitigations:
- Upgrade to a patched version of the @angular/core package.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
