CVE-2026-27970
Received Received - Intake
Cross-Site Scripting in Angular i18n ICU Messages Enables JS Execution

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Versions prior to 21.2.0, 21.1.16, 20.3.17, and 19.2.19 have a cross-Site scripting vulnerability in the Angular internationalization (i18n) pipeline. In ICU messages (International Components for Unicode), HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves three steps, extracting all messages from an application in the source language, sending the messages to be translated, and then merging their translations back into the final source code. Translations are frequently handled by contracts with specific partner companies, and involve sending the source messages to a separate contractor before receiving final translations for display to the end user. If the returned translations have malicious content, it could be rendered into the application and execute arbitrary JavaScript. When successfully exploited, this vulnerability allows for execution of attacker controlled JavaScript in the application origin. Depending on the nature of the application being exploited this could lead to credential exfiltration and/or page vandalism. Several preconditions apply to the attack. The attacker must compromise the translation file (xliff, xtb, etc.). Unlike most XSS vulnerabilities, this issue is not exploitable by arbitrary users. An attacker must first compromise an application's translation file before they can escalate privileges into the Angular application client. The victim application must use Angular i18n, use one or more ICU messages, render an ICU message, and not defend against XSS via a safe content security policy. Versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 patch the issue. Until the patch is applied, developers should consider reviewing and verifying translated content received from untrusted third parties before incorporating it in an Angular application, enabling strict CSP controls to block unauthorized JavaScript from executing on the page, and enabling Trusted Types to enforce proper HTML sanitization.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-05-07
AI Q&A
2026-02-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27970
EUVD
EUVD-2026-8822
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
angular angular to 19.2.19 (exc)
angular angular From 20.0.0 (inc) to 20.3.17 (exc)
angular angular From 21.0.0 (inc) to 21.1.6 (exc)
angular angular 21.2.0
angular angular 21.2.0
angular angular 21.2.0
angular angular 21.2.0
angular angular 21.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-27970 is a Cross-Site Scripting (XSS) vulnerability in Angular's internationalization (i18n) pipeline, specifically in the handling of ICU (International Components for Unicode) messages used for translations."}, {'type': 'paragraph', 'content': 'The vulnerability arises because HTML content within translated ICU messages was not properly sanitized, allowing malicious JavaScript embedded in translation files (such as xliff or xtb) to execute when rendered in the application.'}, {'type': 'paragraph', 'content': 'An attacker must first compromise the translation files before injecting malicious scripts. The victim application must use Angular i18n, render ICU messages, and lack protective measures like strict Content-Security Policy (CSP) or Trusted Types enforcement.'}, {'type': 'paragraph', 'content': 'The fix involves blocking the creation of any URI attributes from ICU messages entirely, switching from a blocklist to an allowlist approach for HTML attributes in translations, dropping unknown attributes, and replacing URI attribute values with a safe placeholder to prevent malicious content execution.'}] [4, 1, 2, 3, 5]


How can this vulnerability impact me? :

If exploited, this vulnerability allows execution of attacker-controlled JavaScript within the Angular application origin.

This can lead to serious impacts such as credential exfiltration by accessing sensitive data stored in memory, LocalStorage, IndexedDB, or cookies.

It can also result in page vandalism or manipulation, compromising the integrity and trustworthiness of the application.

However, exploitation requires the attacker to have compromised the translation files beforehand, and the application must not have strict CSP or Trusted Types protections enabled.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves malicious JavaScript execution through compromised translation files (such as xliff or xtb) used in Angular's internationalization (i18n) ICU messages. Detection involves reviewing translation files for unexpected or suspicious HTML content, especially URI attributes that could contain JavaScript or harmful links.

Since the vulnerability is related to translation files and their content, network detection could include monitoring for unauthorized changes or transfers of translation files to or from your systems.

There are no specific commands provided in the resources or context to detect this vulnerability directly on a network or system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate CVE-2026-27970, you should immediately apply the official patches provided in Angular versions 21.2.0, 21.1.6, 20.3.17, and 19.2.19 or later, which block unsafe URI attributes and enforce an allowlist of safe attributes in ICU message translations.

Until patches are applied, review and verify all translated content received from untrusted third parties before incorporating it into your Angular application.

Enable strict Content Security Policy (CSP) controls to block unauthorized JavaScript execution on your pages.

Enforce Trusted Types in your application to ensure proper HTML sanitization and prevent injection of malicious scripts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart