Critical Angular XSS Vulnerability Puts Thousands of Web Applications at Risk
A significant security flaw has been identified in the Angular framework, a widely utilized platform for building web applications. This vulnerability, cataloged as CVE-2026-32635 and classified under CWE-79, pertains to Cross-Site Scripting (XSS) and affects both the `@angular/compiler` and `@angular/core` packages. Given Angular’s extensive adoption across various enterprise and consumer web applications, this issue presents a substantial risk to numerous online platforms.
Understanding the Vulnerability
The core of this vulnerability lies in Angular’s handling of internationalization (i18n) for security-sensitive HTML attributes. Angular is renowned for its robust built-in sanitization mechanisms designed to automatically neutralize malicious inputs, thereby preventing code injection attacks. However, researchers have discovered that these protective measures can be circumvented under specific conditions involving the i18n process.
When developers enable internationalization for certain attributes by adding directives like `i18n-href` to elements such as anchor tags, Angular processes these attributes for translation purposes. If, concurrently, untrusted user-generated data is bound to these localized attributes, it creates an opportunity for attackers to inject harmful scripts. This scenario arises because the i18n binding inadvertently causes Angular to bypass its standard security checks, leaving attributes like `href`, `src`, `action`, `formaction`, and `data` vulnerable to exploitation.
Exploitation Scenarios and Potential Impact
To exploit this vulnerability, several conditions must align:
1. Vulnerable Angular Version: The application must be running an affected version of Angular.
2. Unsanitized User Input: The application binds untrusted user input to a sensitive attribute.
3. Internationalization Directive: The attribute is marked for internationalization using the `i18n-
When these conditions are met, an attacker can execute arbitrary JavaScript code within the context of the vulnerable application. The consequences of such exploitation are severe and multifaceted:
– Session Hijacking: Attackers can steal session cookies and authentication tokens, gaining unauthorized access to user accounts.
– Data Exfiltration: Malicious scripts can silently capture and transmit sensitive user data to external servers controlled by the attacker.
– Unauthorized Actions: Attackers can manipulate the application to perform actions on behalf of the user, potentially leading to data manipulation or destruction.
Affected Versions and Mitigation Measures
The Angular development team has released security updates addressing this vulnerability across multiple release tracks. The affected and corresponding patched versions are as follows:
– @angular/compiler and @angular/core Packages:
– Versions 22.0.0-next.0 through below 22.0.0-next.3 are vulnerable; patched in 22.0.0-next.3.
– Versions 21.0.0-next.0 through 21.2.4 are vulnerable; patched in 21.2.4.
– Versions 20.0.0-next.0 through 20.3.18 are vulnerable; patched in 20.3.18.
– Versions 19.0.0-next.0 through 19.2.20 are vulnerable; patched in 19.2.20.
– Versions 17.0.0-next.0 through 18.2.14 are vulnerable; no official patch is currently available.
Recommended Actions:
1. Immediate Update: The most effective mitigation strategy is to update Angular applications to the latest patched versions as listed above.
2. Input Sanitization: If immediate updating is not feasible, ensure that any data bound to vulnerable attributes is strictly sanitized and does not originate from untrusted sources such as user inputs, database queries, API responses, or URL parameters.
3. Manual Sanitization: Developers can utilize Angular’s `DomSanitizer` to manually sanitize inputs before binding them to the Document Object Model (DOM). This proactive measure neutralizes potential threats even if the internationalization bypass is triggered.
Conclusion
The discovery of CVE-2026-32635 underscores the critical importance of maintaining up-to-date software and implementing rigorous input validation practices. Organizations leveraging Angular for their web applications must promptly assess their systems, apply necessary updates, and adopt comprehensive security measures to safeguard against potential exploits stemming from this vulnerability.
