CVE-2026-32635
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in Angular Runtime via i18n Attribute

Publication date: 2026-03-16

Last updated on: 2026-04-30

Assigner: GitHub, Inc.

Description
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32635
EUVD
EUVD-2026-12140
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
angular angular_cli From 17.0.0 (inc) to 19.2.0 (exc)
angular angular_cli From 20.0.0 (inc) to 20.3.18 (inc)
angular angular_cli From 21.0.0 (inc) to 21.2.4 (exc)
angular angular_cli 22.0.0
angular angular_cli 22.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32635 is a high-severity Cross-Site Scripting (XSS) vulnerability in the Angular framework's runtime and compiler. It occurs when security-sensitive HTML attributes (such as href, src, action, and others) are marked for internationalization using Angular's i18n attribute bindings (e.g., i18n-href). This marking bypasses Angular's built-in sanitization mechanisms, allowing untrusted user input bound to these attributes to inject malicious scripts."}, {'type': 'paragraph', 'content': 'Specifically, attributes like action, background, cite, codebase, data, formaction, href, itemtype, longdesc, poster, src, and xlink:href were vulnerable when used with translations. For example, an element like <a href="{{maliciousUrl}}" i18n-href>Click me</a> could be exploited if maliciousUrl contains a script payload.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because Angular did not properly sanitize translated attribute bindings with interpolations, and also allowed translations of certain attributes like iframe src, which posed additional risks.'}, {'type': 'paragraph', 'content': 'The issue has been fixed in Angular versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20 by enhancing sanitization of these attributes and disallowing translations of iframe src attributes.'}] [1, 2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'If exploited, this vulnerability allows attackers to inject and execute arbitrary malicious scripts within the context of the affected Angular application.'}, {'type': 'list_item', 'content': "Arbitrary code execution within the application's domain."}, {'type': 'list_item', 'content': 'Session hijacking, allowing attackers to impersonate legitimate users.'}, {'type': 'list_item', 'content': 'Data exfiltration, potentially leaking sensitive user or application data.'}, {'type': 'list_item', 'content': 'Unauthorized actions performed on behalf of the user, such as changing settings or making transactions.'}, {'type': 'paragraph', 'content': 'The vulnerability requires that the application uses a vulnerable Angular version, binds unsanitized user input to affected attributes marked for internationalization, and that user interaction occurs.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by reviewing Angular application code for usage of security-sensitive HTML attributes (such as href, src, action, formaction, etc.) that are marked for internationalization using i18n-<attribute> bindings. Specifically, look for attribute bindings that combine i18n attributes with interpolated or untrusted user input, for example: <a href="{{userInput}}" i18n-href>.'}, {'type': 'paragraph', 'content': "Since this is a code-level vulnerability related to Angular's runtime and compiler sanitization, detection involves static code analysis or scanning the source code for patterns where i18n attributes are used on sensitive attributes with data bindings."}, {'type': 'paragraph', 'content': 'There are no specific network commands or system-level commands provided in the resources to detect exploitation or presence of this vulnerability.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Angular to one of the patched versions: 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, ensure that any data bound to security-sensitive attributes marked for internationalization is properly sanitized or not sourced from untrusted user input.'}, {'type': 'paragraph', 'content': "Developers can explicitly sanitize attribute values using Angular's DomSanitizer service to prevent injection of malicious scripts. For example, using DomSanitizer's sanitize method with SecurityContext.URL to clean dangerous URLs before binding."}, {'type': 'paragraph', 'content': 'Additionally, avoid marking sensitive attributes such as src on iframe elements for translation, as the fix disallows this to prevent injection of malicious URLs.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart