CVE-2026-32635

Overview

Angular is a TypeScript-based web development platform for building scalable single-page and server-side rendered applications. It provides a modular architecture, powerful dependency injection, and built-in tools for building modern, performant, and maintainable applications across web, mobile, and desktop environments.

A high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2026-32635) has been identified in the Angular runtime and compiler. Enabling internationalization for security-sensitive attributes (for example, href on an anchor tag) by adding i18n-<name> attribute bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

Per OWASP: Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user.

This issue affects multiple versions of Angular.

‍

Details

Module Info

• Product: Angular
• Affected packages: @angular/compiler, @angular/core
• Affected versions:
  
  • >=22.0.0-next.0 <22.0.0-next.3
  • >=21.0.0-next.0 <21.2.4
  • >=20.0.0-next.0 <20.3.18
  • >=17.0.0.next.0 <19.2.20
• GitHub repository: https://github.com/angular/angular
• Published packages:
  
  • https://www.npmjs.com/package/@angular/compiler
  • https://www.npmjs.com/package/@angular/core‍
• Package manager: npm
• Fixed in:
  
  • OSS Angular v22.0.0-next.3, v21.2.4, v20.3.18, v19.2.20
  • NES for Angular v19.2.21, v18.2.20, v17.3.20

‍

Vulnerability Info

This high-severity vulnerability is found in the @angular/compiler and @angular/core packages in multiple published versions of Angular.

It occurs when the application uses a security-sensitive attribute (for example, href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<name> attribute bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script.

The following example illustrates the issue:

<a href="{{ maliciousUrl }}" i18n-href>Click me</a>

‍

The following attributes have been confirmed to be vulnerable:

• ‍action
• background
• cite
• codebase
• data
• formaction
• href
• itemtype
• longdesc
• poster
• src
• xlink:href

When successfully exploited, this vulnerability allows for arbitrary JavaScript execution within the context of the victim's browser session. This can lead to:

• Session hijacking: Stealing session cookies, localStorage data, or authentication tokens.
• Data exfiltration: Accessing and transmitting sensitive information displayed within the application.
• Unauthorized actions: Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

‍

Mitigation

Angular versions prior to 19 are End-of-Life and will not receive any updates to address this issue. For more information see here.

Users of the affected components should apply one of the following mitigations:

• Migrate affected applications to a patched version of Angular.
• Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍

Credits

VenkatKwest (finder)