प्लेटफ़ॉर्म
nodejs
घटक
@angular/core
में ठीक किया गया
22.0.0-next.3
21.2.4
20.3.18
19.2.20
22.0.0-next.3
21.2.4
20.3.18
19.2.20
22.0.0-next.3
A Cross-Site Scripting (XSS) vulnerability has been discovered within the Angular runtime and compiler, specifically impacting versions 21.0.0 through 21.2.3. This vulnerability arises when applications utilize security-sensitive attributes, such as the href attribute on an anchor tag, in conjunction with Angular's internationalization features. Exploitation allows attackers to inject malicious scripts, potentially compromising user data and application functionality. A fix is available in version 21.2.4.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into a user's browser when they interact with a vulnerable Angular application. The attack vector involves leveraging Angular's internationalization (i18n-) feature on security-sensitive attributes. By adding i18n-<attribute> to an attribute like href, Angular's built-in sanitization mechanisms are bypassed. If this attribute is then bound to untrusted user-supplied data, an attacker can inject malicious scripts. Successful exploitation could lead to session hijacking, defacement of the application, or redirection to malicious websites. The blast radius extends to all users interacting with the vulnerable application, particularly those who are authenticated.
This vulnerability was publicly disclosed on 2026-03-13. Currently, there are no known active campaigns exploiting this specific CVE. While no public proof-of-concept (PoC) code has been released, the nature of XSS vulnerabilities makes it likely that PoCs will emerge. The vulnerability is not listed on CISA KEV as of this writing.
Applications built with Angular versions 21.0.0 through 21.2.3 are at risk. This includes web applications, single-page applications (SPAs), and any other projects utilizing the @angular/core library. Teams relying on third-party components that depend on these vulnerable versions are also indirectly at risk.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -like '*node*'} | Select-Object Name, Id, Path• generic web:
curl -I https://your-angular-app.com/ | grep -i 'x-xss-protection'• generic web:
Inspect the application's source code for instances of i18n- attributes used on security-sensitive HTML elements where the attribute value is bound to user-supplied data.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (15% शतमक)
CISA SSVC
The primary mitigation is to upgrade to @angular/core version 21.2.4 or later, which contains the fix. If upgrading immediately is not feasible, developers should carefully review their code for instances where security-sensitive attributes are used with Angular's internationalization feature. Avoid using i18n-<attribute> on attributes like href, src, or onclick when the value is derived from untrusted user input. Implement robust input validation and sanitization to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS protection rules to filter out potentially malicious requests. After upgrading, confirm the fix by testing the application with various inputs, including those designed to trigger XSS vulnerabilities.
Actualice Angular a la versión 22.0.0-next.3, 21.2.4, 20.3.18 o 19.2.20, o superior, según corresponda a su versión actual. Esto corrige la vulnerabilidad XSS en el enlace de atributos i18n.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-32635 is a Cross-Site Scripting (XSS) vulnerability in @angular/core versions 21.0.0–21.2.3. It allows attackers to inject malicious scripts by bypassing Angular's sanitization when internationalizing security-sensitive attributes.
If your Angular application uses @angular/core versions 21.0.0 through 21.2.3 and utilizes internationalization with security-sensitive attributes, you are potentially affected.
Upgrade to @angular/core version 21.2.4 or later. Review your code to avoid using i18n-<attribute> on security-sensitive attributes with untrusted user input.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it likely that exploits will emerge.
Refer to the official Angular security advisory for detailed information and updates: https://github.com/angular/angular/security/advisories/GHSA-xxxx-xxxx-xxxx
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।