A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-32635, has been disclosed in the Angular framework’s runtime and compiler.
Allowing attackers to silently bypass Angular’s built-in DomSanitizer protections through a lesser-known interaction between internationalization (i18n) attribute bindings and security-sensitive HTML attributes, putting thousands of enterprise and consumer-facing web applications at immediate risk.
Published on March 13, 2026, via GitHub Security Advisory GHSA-g93w-mfhg-p222, this flaw affects both @angular/compiler and @angular/core npm packages across Angular versions 17 through 22 pre-release builds.
Angular XSS Bug
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). It carries a CVSS v4.0 base score of High, with a network-based attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.
The CVSS vector string is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, confirming that exploitation requires low privileges and passive user interaction, a realistic and dangerous combination in modern web environments.
Angular’s security model normally prevents dangerous values from being bound to sensitive HTML attributes. For instance, a javascript: URI bound to an href attribute is automatically intercepted and neutralized by Angular’s DomSanitizer before it ever reaches the DOM.
This has been a foundational defense against XSS for Angular developers who rely on the framework’s security-by-default architecture. However, a critical gap emerges when developers also mark that same attribute for internationalization.
When a developer adds i18n-href to an element alongside a [href] binding, the Angular compiler routes the attribute through its i18n localization pipeline instead of the security sanitization pipeline.
The localization pipeline handles message extraction and translation substitution; it was never designed to validate or sanitize security-sensitive values. The result is that a payload like JavaScript: alert(document.cookie) reaches the DOM completely untouched.
Binding maliciousUrl to an attacker-controlled value while i18n-href is present fully bypasses Angular’s sanitizer, enabling arbitrary script execution in the victim’s browser.
Affected Versions and Vulnerable Attributes
The vulnerability spans a wide range of Angular releases across both @angular/compiler and @angular/core:
| Angular Version Range | Patched Version |
|---|---|
| >= 22.0.0-next.0 < 22.0.0-next.3 | 22.0.0-next.3 |
| >= 21.0.0-next.0 < 21.2.4 | 21.2.4 |
| >= 20.0.0-next.0 < 20.3.18 | 20.3.18 |
| >= 19.0.0-next.0 < 19.2.20 | 19.2.20 |
| >= 17.0.0-next.0 <= 18.2.14 | None |
Notably, Angular versions 17 and 18 are end-of-life. They will not receive an official community patch, leaving applications still running these versions permanently exposed unless they migrate to a supported release. The following twelve HTML attributes have been confirmed vulnerable when combined with their corresponding i18n- prefix:
action, background, cite, codebase, data, formaction, href, itemtype, longdesc, poster, src, xlink:href
When exploited, CVE-2026-32635 allows an attacker to execute arbitrary JavaScript code within the vulnerable application’s domain. The Center for Cybersecurity Belgium (CCB) issued an emergency advisory urging organizations to patch with the highest priority after thorough testing. The confirmed attack outcomes include:
- Session Hijacking – Stealing session cookies and authentication tokens to impersonate legitimate users
- Credential and Data Exfiltration – Capturing and transmitting sensitive form inputs, PII, and API tokens to attacker-controlled servers
- Unauthorized Actions – Performing privileged operations on behalf of the victim, including account modifications or financial transactions
- Malware Distribution – Injecting drive-by download scripts or redirecting users to phishing infrastructure
Attack Preconditions
Three conditions must be simultaneously true for successful exploitation:
- The application runs a vulnerable Angular version (v17–v21.2.3 / v20.3.17 / v19.2.19 / v22-next prior to next.3)
- Unsanitized, user-controllable input (from URL parameters, API responses, or database values) is bound to one of the 12 vulnerable attributes
- The same element carries the corresponding
i18n-<attribute>directive marking it for internationalization
This combination is particularly dangerous because many enterprise Angular applications that support multiple languages are almost certainly using i18n directives, and the intersection with dynamic data binding is common in real-world deployments.
Mitigation
Angular has released fixes across all actively supported branches via pull requests #67541 and #67561. Developers should upgrade immediately to:
- Angular 22.0.0-next.3 (pre-release track)
- Angular 21.2.4
- Angular 20.3.18
- Angular 19.2.20
For teams that cannot patch immediately, two workarounds are available:
- Avoid binding untrusted input to any of the 12 affected attributes on elements that also carry an
i18n-<attribute>directive - Explicitly sanitize values using Angular’s
DomSanitizerwith the appropriateSecurityContextbefore binding, as shown below:
import { DomSanitizer } from '@angular/platform-browser';
import { SecurityContext } from '@angular/core';
const sanitizer = inject(DomSanitizer);
this.url = sanitizer.sanitize(SecurityContext.URL, dangerousUrl) || '';FAQ
Q1: Does CVE-2026-32635 affect every Angular app using i18n?
No, only apps that also bind untrusted user-controlled input to one of the 12 confirmed security-sensitive attributes on the same element where i18n-<attribute> is present are vulnerable.
Q2: Will Angular 17 and 18 users receive a patch for this vulnerability?
No, Angular 17 and 18 are end-of-life, meaning users must migrate to Angular 19.2.20 or higher to receive an official security fix.
Q3: Can Angular’s DomSanitizer be used as a manual workaround until patching is possible?
Yes, explicitly passing bound values through DomSanitizer.sanitize() with the correct SecurityContext effectively neutralizes this bypass until the patch is applied.
Q4: What is the CVSS severity rating of CVE-2026-32635?
CVE-2026-32635 is rated High under CVSS v4.0 with full high-impact scores across confidentiality, integrity, and availability of the vulnerable system.
Site: https://thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
