CVE-2026-32635
Cross-Site Scripting in Angular Runtime via i18n Attribute
Publication date: 2026-03-16
Last updated on: 2026-04-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| angular | angular_cli | From 17.0.0 (inc) to 19.2.0 (exc) |
| angular | angular_cli | From 20.0.0 (inc) to 20.3.18 (inc) |
| angular | angular_cli | From 21.0.0 (inc) to 21.2.4 (exc) |
| angular | angular_cli | 22.0.0 |
| angular | angular_cli | 22.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32635 is a high-severity Cross-Site Scripting (XSS) vulnerability in the Angular framework's runtime and compiler. It occurs when security-sensitive HTML attributes (such as href, src, action, and others) are marked for internationalization using Angular's i18n attribute bindings (e.g., i18n-href). This marking bypasses Angular's built-in sanitization mechanisms, allowing untrusted user input bound to these attributes to inject malicious scripts."}, {'type': 'paragraph', 'content': 'Specifically, attributes like action, background, cite, codebase, data, formaction, href, itemtype, longdesc, poster, src, and xlink:href were vulnerable when used with translations. For example, an element like <a href="{{maliciousUrl}}" i18n-href>Click me</a> could be exploited if maliciousUrl contains a script payload.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because Angular did not properly sanitize translated attribute bindings with interpolations, and also allowed translations of certain attributes like iframe src, which posed additional risks.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in Angular versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20 by enhancing sanitization of these attributes and disallowing translations of iframe src attributes.'}] [1, 2, 3]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'If exploited, this vulnerability allows attackers to inject and execute arbitrary malicious scripts within the context of the affected Angular application.'}, {'type': 'list_item', 'content': "Arbitrary code execution within the application's domain."}, {'type': 'list_item', 'content': 'Session hijacking, allowing attackers to impersonate legitimate users.'}, {'type': 'list_item', 'content': 'Data exfiltration, potentially leaking sensitive user or application data.'}, {'type': 'list_item', 'content': 'Unauthorized actions performed on behalf of the user, such as changing settings or making transactions.'}, {'type': 'paragraph', 'content': 'The vulnerability requires that the application uses a vulnerable Angular version, binds unsanitized user input to affected attributes marked for internationalization, and that user interaction occurs.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by reviewing Angular application code for usage of security-sensitive HTML attributes (such as href, src, action, formaction, etc.) that are marked for internationalization using i18n-<attribute> bindings. Specifically, look for attribute bindings that combine i18n attributes with interpolated or untrusted user input, for example: <a href="{{userInput}}" i18n-href>.'}, {'type': 'paragraph', 'content': "Since this is a code-level vulnerability related to Angular's runtime and compiler sanitization, detection involves static code analysis or scanning the source code for patterns where i18n attributes are used on sensitive attributes with data bindings."}, {'type': 'paragraph', 'content': 'There are no specific network commands or system-level commands provided in the resources to detect exploitation or presence of this vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Angular to one of the patched versions: 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, ensure that any data bound to security-sensitive attributes marked for internationalization is properly sanitized or not sourced from untrusted user input.'}, {'type': 'paragraph', 'content': "Developers can explicitly sanitize attribute values using Angular's DomSanitizer service to prevent injection of malicious scripts. For example, using DomSanitizer's sanitize method with SecurityContext.URL to clean dangerous URLs before binding."}, {'type': 'paragraph', 'content': 'Additionally, avoid marking sensitive attributes such as src on iframe elements for translation, as the fix disallows this to prevent injection of malicious URLs.'}] [1, 2, 3]