CVE-2026-32635 in angular
Summary
by MITRE • 03/16/2026
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n-<attribute> name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability is fixed in 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2026
The identified vulnerability CVE-2026-32635 represents a critical cross-site scripting flaw within the Angular framework that affects multiple major versions including 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20. This security issue stems from the improper handling of internationalization attributes in Angular's runtime and compiler components, creating a dangerous condition where user-supplied data can bypass built-in sanitization mechanisms. The vulnerability specifically manifests when applications utilize security-sensitive HTML attributes such as href on anchor tags in conjunction with Angular's internationalization capabilities, demonstrating a fundamental weakness in how the framework processes localized attribute values.
The technical exploitation of this vulnerability occurs through a specific combination of conditions that bypass Angular's security controls. When developers enable internationalization for security-sensitive attributes by adding i18n- prefixes to attribute names, the framework's built-in sanitization mechanisms are effectively bypassed. This creates a scenario where data binding operations to untrusted user-generated content can inject malicious scripts into the application's output. The flaw operates at the intersection of Angular's internationalization system and its security model, where the sanitization process fails to properly validate or escape content when internationalized attributes are present, making it particularly insidious as it leverages legitimate framework functionality to enable attacks.
The operational impact of this vulnerability extends beyond simple script injection, potentially allowing attackers to execute arbitrary code within the context of affected applications. This could result in session hijacking, data theft, defacement of web applications, or more sophisticated attacks such as credential theft and privilege escalation. The vulnerability affects the core Angular runtime and compiler components, meaning that any application utilizing the affected versions and implementing internationalization for security-sensitive attributes becomes vulnerable to exploitation. Given that Angular is widely used for building enterprise web applications, the potential scope of impact is substantial, particularly in environments where user input is processed without proper validation or sanitization.
Security professionals should note that this vulnerability aligns with CWE-79 Cross-Site Scripting and follows patterns consistent with ATT&CK technique T1203 Exploitation for Client Execution, specifically targeting the application layer of web applications. The fix implemented in versions 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20 addresses the sanitization bypass by strengthening the validation process for internationalized attributes, ensuring that security-sensitive content remains properly escaped regardless of internationalization settings. Organizations should prioritize immediate patching of affected systems, implement comprehensive input validation measures, and conduct security reviews of applications that utilize internationalization features with security-sensitive attributes to prevent exploitation of this vulnerability.