Plattform
nodejs
Komponente
@angular/core
Behoben in
22.0.0-next.3
21.2.4
20.3.18
19.2.20
22.0.0-next.3
21.2.4
20.3.18
19.2.20
22.0.0-next.3
A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. This vulnerability arises when applications utilize security-sensitive attributes, such as the href attribute on an anchor tag, in conjunction with Angular's internationalization capabilities. Exploitation involves enabling internationalization for these attributes, bypassing Angular's built-in sanitization and potentially allowing attackers to inject malicious scripts. Affected versions include @angular/core 21.0.0 through 21.2.3; a fix is available in version 21.2.4.
Successful exploitation of CVE-2026-32635 allows an attacker to inject arbitrary JavaScript code into a user's browser within the context of the vulnerable Angular application. This can lead to a variety of malicious outcomes, including session hijacking, defacement of the application, redirection to phishing sites, and theft of sensitive user data. The impact is particularly severe if the application handles sensitive information or performs critical operations, as an attacker could potentially gain complete control over the user's session and actions. The attack vector relies on manipulating internationalized attributes, making it a subtle and potentially difficult-to-detect vulnerability.
This vulnerability was publicly disclosed on March 13, 2026. There is currently no indication of active exploitation in the wild, but the availability of a public proof-of-concept increases the risk. The vulnerability's reliance on internationalization makes it potentially less common than traditional XSS vulnerabilities, but the impact can be significant if exploited. It is not currently listed on CISA KEV.
Applications built with Angular versions 21.0.0 through 21.2.3 are at risk. This includes web applications, single-page applications (SPAs), and any other projects utilizing the @angular/core library. Teams relying on third-party components that depend on these vulnerable versions are also indirectly at risk.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Id, Path• generic web:
curl -I https://your-angular-app.com/ | grep -i 'x-xss-protection'• generic web:
Inspect the application's source code for instances of i18n- attributes used on security-sensitive HTML elements where the attribute value is bound to user-supplied data.
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-32635 is to upgrade to @angular/core version 21.2.4 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing stricter input validation and output encoding to sanitize user-generated data before it is used in security-sensitive attributes. Additionally, review your application's use of internationalization features, particularly for attributes that could be exploited. While a WAF might offer some protection, it's not a substitute for patching. Monitor application logs for unusual activity or script execution patterns that might indicate exploitation attempts.
Aktualisieren Sie Angular auf Version 22.0.0-next.3, 21.2.4, 20.3.18 oder 19.2.20 oder höher, je nach Ihrer aktuellen Version. Dies behebt die XSS-Schwachstelle im i18n-Attributlink.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32635 is a Cross-Site Scripting (XSS) vulnerability in @angular/core versions 21.0.0–21.2.3. It allows attackers to inject malicious scripts by bypassing Angular's sanitization when internationalizing security-sensitive attributes.
If your Angular application uses @angular/core versions 21.0.0 through 21.2.3 and utilizes internationalization with security-sensitive attributes, you are potentially affected.
Upgrade to @angular/core version 21.2.4 or later. Review your code to avoid using i18n-<attribute> on security-sensitive attributes with untrusted user input.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it likely that exploits will emerge.
Refer to the official Angular security advisory for detailed information and updates: https://github.com/angular/angular/security/advisories/GHSA-xxxx-xxxx-xxxx
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.