DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32635: CVE-2026-32635: Cross-Site Scripting (XSS) via i18n Attribute Binding in Angular

#security #cve #cybersecurity

CVE-2026-32635: Cross-Site Scripting (XSS) via i18n Attribute Binding in Angular

Vulnerability ID: CVE-2026-32635
CVSS Score: 8.6
Published: 2026-03-13

Angular framework versions 17.x through 22.0.0-next.2 contain a cross-site scripting (XSS) vulnerability due to an improper sanitization bypass in the internationalization (i18n) compiler pipeline. When sensitive HTML attributes like href or src are marked for translation using the i18n- prefix, the Angular Ivy renderer fails to apply default security sanitization to their bound values. This permits the injection of malicious javascript: URIs.

TL;DR

Angular's i18n attribute parsing bypasses sanitization, allowing arbitrary XSS execution via data-bound sensitive attributes like href or src.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Cross-Site Scripting (XSS)
  • CWE ID: CWE-79
  • CVSS v4.0 Score: 8.6 (High)
  • Attack Vector: Network
  • User Interaction: Required
  • Exploit Status: Proof of Concept Available

Affected Systems

  • @angular/compiler
  • @angular/core
  • @angular/compiler: >= 22.0.0-next.0, < 22.0.0-next.3 (Fixed in: 22.0.0-next.3)
  • @angular/compiler: >= 21.0.0-next.0, < 21.2.4 (Fixed in: 21.2.4)
  • @angular/compiler: >= 20.0.0-next.0, < 20.3.18 (Fixed in: 20.3.18)
  • @angular/compiler: >= 17.0.0.next.0, < 19.2.20 (Fixed in: 19.2.20)
  • @angular/core: >= 22.0.0-next.0, < 22.0.0-next.3 (Fixed in: 22.0.0-next.3)
  • @angular/core: >= 21.0.0-next.0, < 21.2.4 (Fixed in: 21.2.4)
  • @angular/core: >= 20.0.0-next.0, < 20.3.18 (Fixed in: 20.3.18)
  • @angular/core: >= 17.0.0.next.0, < 19.2.20 (Fixed in: 19.2.20)

Code Analysis

Commit: 224e60e

Fix Commit (Core): Applies dynamic sanitizer logic to i18nAttributesFirstPass

Commit: 78dea55

Fix Commit (Compiler): Adds iframe|src to TRUSTED_TYPES_SINKS

Mitigation Strategies

  • Upgrade Angular dependencies (@angular/core, @angular/compiler) to the patched versions.
  • Implement a strict Content Security Policy (CSP) omitting 'unsafe-inline' in the script-src directive.
  • Enable and enforce Trusted Types to prevent untyped string assignments to DOM sinks.
  • Conduct static analysis code reviews to identify i18n bindings on sensitive attributes (e.g., href, src).

Remediation Steps:

  1. Identify the current Angular major version utilized by the project.
  2. Update package.json to reflect the patched version (19.2.20, 20.3.18, 21.2.4, or 22.0.0-next.3).
  3. Execute the package manager update command (e.g., npm update @angular/core @angular/compiler).
  4. Rebuild the application to apply the patched compiler logic to template artifacts.
  5. Deploy the updated build to production environments.

References

Read the full report for CVE-2026-32635 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)