Angular Vulnerability Triggers Widespread XSS Risk

Angular has disclosed a high-severity Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-32635 and categorized under CWE-79, affecting its widely used angular/compiler and angular/core packages. Given Angular’s extensive adoption across enterprise and consumer web applications, the flaw presents a significant security risk on a global scale.

The vulnerability originates from how Angular processes internationalization (i18n) in security-sensitive HTML attributes. While the framework typically includes strong built-in sanitization to prevent malicious code injection, researchers found that this protection can be bypassed under specific conditions.

The issue arises when developers apply i18n to sensitive attributes such as href, src, action, formaction, or data, using syntax like i18n-href. If untrusted or user-controlled input is simultaneously bound to these attributes, Angular may skip its standard sanitization checks. This opens the door for attackers to inject and execute malicious scripts within the application.

To successfully exploit this flaw, an application must meet certain criteria:

• It must run a vulnerable Angular version

• It must bind untrusted input to a sensitive attribute

• The same attribute must be marked for internationalization

When these conditions are met, attackers can execute arbitrary JavaScript in the user’s browser, leading to serious consequences such as:

• Session Hijacking: Theft of cookies and authentication tokens

• Data Exfiltration: Unauthorized capture and transmission of sensitive data

• Unauthorized Actions: Execution of actions on behalf of the user

Angular has released security patches across several supported versions. Fixes are available in:

• 22.0.0-next.3 (patches versions below it in the 22.x line)

• 21.2.4

• 20.3.18

• 19.2.20

However, versions spanning 17.x to 18.2.14 remain vulnerable with no official patch currently available.

The recommended mitigation is to upgrade to a patched version as soon as possible. For organizations unable to update immediately, developers should avoid binding untrusted data to sensitive attributes, especially when using i18n. As an additional safeguard, Angular recommends using the DomSanitizer to explicitly sanitize inputs before rendering them in the DOM. This helps neutralize potential script injections even if the i18n-related bypass is triggered. This vulnerability highlights the importance of secure coding practices and staying current with framework updates, particularly for widely deployed technologies like Angular.

Recommended Cyber News:

• CrowdStrike and Perplexity Partner to Secure AI-Native Browsing with Falcon Integration

• Nozomi and DERSec Partner to Secure Distributed Energy

• Kiteworks and Kasm Partner for Secure Collaboration

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com