Platform
nodejs
Component
@angular/core
Fixed in
22.0.0-next.3
21.2.4
20.3.18
19.2.20
22.0.0-next.3
21.2.4
20.3.18
19.2.20
22.0.0-next.3
A Cross-Site Scripting (XSS) vulnerability has been discovered within the Angular runtime and compiler, specifically impacting versions 21.0.0 through 21.2.3. This vulnerability arises when applications utilize security-sensitive attributes, such as the href attribute on an anchor tag, in conjunction with Angular's internationalization features. Exploitation allows attackers to inject malicious scripts, potentially compromising user data and application functionality. A fix is available in version 21.2.4.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with a vulnerable Angular application. The attack vector involves leveraging Angular's internationalization (i18n-) feature on security-sensitive attributes. By adding i18n-<attribute> to an attribute like href, Angular's built-in sanitization mechanisms are bypassed. If this attribute is then bound to untrusted user-supplied data, an attacker can inject malicious scripts. Successful exploitation could lead to session hijacking, defacement of the application, or redirection to malicious websites. The blast radius extends to all users interacting with the vulnerable application, particularly those who are authenticated.
This vulnerability was publicly disclosed on 2026-03-13. Currently, there are no known active campaigns exploiting this specific CVE. While no public proof-of-concept (PoC) code has been released, the nature of XSS vulnerabilities makes it likely that PoCs will emerge. The vulnerability is not listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
The primary mitigation is to upgrade to @angular/core version 21.2.4 or later, which contains the fix. If upgrading immediately is not feasible, developers should carefully review their code for instances where security-sensitive attributes are used with Angular's internationalization feature. Avoid using i18n-<attribute> on attributes like href, src, or onclick when the value is derived from untrusted user input. Implement robust input validation and sanitization to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out potentially malicious requests. After upgrading, confirm the fix by testing the application with various inputs, including those designed to trigger XSS vulnerabilities.
Update Angular to version 22.0.0-next.3, 21.2.4, 20.3.18, or 19.2.20, or higher, as appropriate for your current version. This fixes the XSS vulnerability in i18n attribute binding.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32635 is a Cross-Site Scripting (XSS) vulnerability in @angular/core versions 21.0.0–21.2.3. It allows attackers to inject malicious scripts by bypassing Angular's sanitization when internationalizing security-sensitive attributes.
If your Angular application uses @angular/core versions 21.0.0 through 21.2.3 and utilizes internationalization with security-sensitive attributes, you are potentially affected.
Upgrade to @angular/core version 21.2.4 or later. Review your code to avoid using i18n-<attribute> on security-sensitive attributes with untrusted user input.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it likely that exploits will emerge.
Refer to the official Angular security advisory for detailed information and updates: https://github.com/angular/angular/security/advisories/GHSA-xxxx-xxxx-xxxx
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.